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= Make certain you're aware of the rights and obligations of open-source, says Maryfran Johnson. 
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Key Finca Firms Compare 


Is Your Data Safe Offshore? 


We went to India and China, the two hottest offshore out- 
sourcing destinations, to find out. Our on-location coverage 
from Bangalore and Shanghai begins on page 6. 
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Notes on Disaster Recovery 


| and discuss future technology 

| recovery strategies. And what 

| they found was that they had 
a lot in common — including 

| headaches. 

“To start with, I found out 


BY LUCAS MEARIAN 
A group of top financial ser- 
vices companies confirmed 
last week that their IT execu- 
tives have met to share cur- 
rent disaster recovery schemes | 
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| I’m not alone. All banks are 


struggling with this,” said 
Todd Baumann, director of 
enterprise business continuity 
at Huntington Bancshares Inc. 
in Columbus, Ohio. 

The Technology Recovery 
Project involved an informa- 
tion exchange among eight 
banks (see list, page 14). IBM, 
Microsoft Corp. and Veritas 
Software Corp. also participat- 


| ed in the project, which was 


organized by the New York- 
based Financial Services Tech- 


wi i \ 


To access related stories, visit our 
Financial industry Center: 


Oe nn 





nology Consortium and took 
place between November 


| 2003 and June of this year. 
The banks and bank holding | 


companies looked at main- 


frame, open systems and stor- 


Disaster Plans, page 14 


App Tests for 


Win XP SP2 
Burden Users 


Most delay installing 
XP security update 


rj 
portant securi- 


PAGE « ty-focused up- 


date for corporate users run- 

ning Windows XP. But in the 

three weeks since its release, 
it’s been a tough pill for many 
to swallow, as they struggle to 
test tens, hundreds and, in 
some cases, at least 1,000 ap- 
plications against it. 

Only two of 32 IT managers 
who responded last week to a 
Computerworld survey con- 
ducted via e-mail and tele- 
phone said their companies 
had deployed SP2, and in both 
cases they did so as part of 
Microsoft early-adopter pro- 

| grams. The majority said 

| they’re still testing SP2 to 
determine its compatibility 

| with the applications their 

| companies run. 

“As we get closer to the holi- 
days, we don’t make changes 
of this significance because 
we don’t want to disrupt our 
environment so close to our 

SP2, page 45 


BY CAROL SLIWA 
Microsoft 

Corp.’s Service 
Pack 2 is an im- 
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Can you afford to change? 


The time has come, they say, to transform your IT. But how? 
On what scale? As a technology company, HP creates—as 
no financial institution can—opportunities you once thought 
impossible, and lets you change without fear. HP consultants 
help you identify the hardware, software and services you'll 
need. Then HP Financial Services helps you finance global 
migration and manage the technology over its lifespan, while 
minimizing financial risks. Once you can afford change, you 
might even embrace it. www.hp.com/info/hpfs 
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of companies rely on .NET for their 
primary development environment: 


Get the report at microsoft.com/forrester 
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Encryption Must Move Beyond SHA 
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progress in breaking the MD5 and SHA hash functions 
means it’s time to find a new hash standard. Page 28 
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Who Owns the Web? 


In the Management section: 
When business units fight for 
control of the corporate Web 
site, the company loses. Page 31 
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SPECIAL REPORT 


is Your Data 
Safe Offshore? 


In India, IT outsourcers 

are bolstering security in 
response to demand from 
U.S. clients. And Chinese 
service providers are try- 


The SEC has postponed by 
one year a Sarbanes-Oxley 
Act deadline for swifter filing 
of annual corporate reports. 


U.S. Army payroll systems 
have been pushed past their 
breaking point by the war in 
Iraq, causing problems for 
reservists, says the GAO. 


The TSA plans tests of new 
airport security technologies, 
but lawmakers and industry 
executives are frustrated by 
the slow pace of deployment. 


Wireless WANs move beyond 
fixed points as Washington 
State Ferries plans to offer 
Wi-Fi service on its vessels. 





: 49 Organized Crime invades 
Cyberspace. Script kiddies 
and vandals get the publicity, 
but pros with a profit motive 
are moving into cybercrime. 


24 Directory Assistance. Virtual 
directories provide a faster, 
easier way to connect directory- 
dependent applications with 
the user data they need. 


26 QuickStudy: Fuzzy Logic. An 
extension of Boolean logic, 
fuzzy logic is designed to 
come up with answers when 
data is vague or imprecise. 


: 27 Security Manager’s Journal: 


Company Secrets Hit the 
Exits. Mathias Thurman dis- 
covers that executives are free 
to leave his company with lap- 
tops loaded with strategic ap- 
plications and data. 


MANAGEMENT 


: 33 Petite Portfolio. Several small 


projects can add up to big 
risks. Managing them effi- 
ciently requires a blend of 
rigor and common sense. 


: 36 Who's Who in IT: The Thrill of 
Crisis. You may think data- 
base administration is a skill, 
but DBA Gary Rue knows it’s 
an art. In his world, a crisis is 
always just around the corner. 


: 37 Book Reviews: From IT 


Governance to Hacking. 
These new books can help 
you survive as a CIO, set up 
effective IT governance, prof- 
it from agile project manage- 
ment and outwit hackers. 


10 On the Mark: Mark Hall 
learns of ways to thwart theft 
by iPod, kill spam before it 
reaches your network and 
create a virtual directory. 


Maryfran Johnson sees some- 
thing big in Duke Power’s de- 
cision to give its framework 
for .Net development to the 
open-source community. But 
the move raises questions 
about licensing that all IT 
managers should investigate. 


Dan Gillmor thinks Microsoft 
should use some of its billions 
in reserves to ensure that the 

next PC you buy doesn’t need 
immediate XP upgrades. 


Pimm Fox has some advice for 
the agency behind the anti- 
terror “no-fly” list: Get the 
technology right. 


38 Gopal K. Kapur says project 
managers tend to point to two 
key causes of project failures: 
half-baked or harebrained 
ideas and excessive scope 
creep. What’s his solution? 
Just say no. 


46 Frankly Speaking: Frank 
Hayes warns that before you 
junk data storage devices, 
remember that any informa- 
tion they contain is dangerous 
in the wrong hands. 
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Phishing: Are You Responsible? 
IT MANAGEMENT: Those e-mails trying to 
con customers into parting with sensitive 
information may not be connected to your 
company, but washing your hands of the 
mess is bad for business, says new IT Ethics 
columnist Larry Ponemon. 


© QuickLink 24920. 


Apple Remote Desktop 2 
“Well Worth the Money’ 


MACINTOSH: Columnist Yuval Kossovsky 
takes Apple Remote Desktop 2 out fora 
spin and finds that its new management 
features make it an upgrade that’s worthy of 
consideration. @ QuickLink 48931 


ONLINE 
DEPARTMENTS 


Breaking News 

© Quicklink a1510 
Newsletter 
Subscriptions 

@ QuickLink 21430 
Knowledge Centers 

@ QuickLink a2570 
The Online Store 

© QuickLink 22420 


Link box, which is at the top of 
every page on our site. 





GB compurerworio August 30, 2004 


NEWS SPECIAL REPORT 


www.computerworld.com 





Security Expectations, 
Response Rise in India 


ee ee 


INCREASINGLY TOUGH DEMANDS FROM U.S. CLIENTS SPARK CHANGE. 
BY JAIKUMAR VIJAYAN BANGALORE 





TALL ELECTRIC FENCE 
secures the perimeter 
of Wipro Technolo- 
gies’ main campus in 
Bangalore’s Electronic City. 
Inside, just behind the sliding 
| steel gates, is a checkpoint 
| where security personnel 
| issue photo-ID badges to 
| all visitors. 
| Card keys and biometric 
authentication devices control 
| access to the various develop- 
| ment centers in sleek build- 
ings dotting the landscaped 
| campus. Closed-circuit TVs 
| provide constant surveillance. 
| At the same time, an invisi- 
| ble perimeter of event logging 
and monitoring tools, intru- 
sion-detection systems, fire- 
walls and encryption technolo- 
| gies protects the company’s 
information infrastructure. 
Such measures are what’s 
needed to allay security con- 
| cerns for U.S clients outsourc- 
ing work to Wipro, said J. Paz- 


=| hamalai, information security 


manager at the $1 billion IT 
services vendor. “Data security 
and privacy used to be an after- 
thought,” Pazhamalai said. 
“Now customers are talk- 
ing about it right at the 
RFP stage itself. They 
want a security plan with 
the proposal.” 
Wipro and other Indi- 
an outsourcing vendors 
are bolstering their se- 
curity and privacy 
practices in response 
to U.S. concerns stem- 
ming from the compli- 
ance requirements 
of laws such as Sar- 
banes-Oxley, Gramm- 
Leach-Bliley and 
HIPAA. The key 
threats include unau- 





thorized data access, acciden- 
tal information loss and sabo- 
tage, loss of intellectual prop- 
erty, and damage from worms 
and viruses. 

A growing number of com- 
panies “are seeking stringent 
contractual guarantees related 


Meee et eS 
used extensively by Indian 
Rye Vem eet lem 


Wey 


JOLLY TECHNOLOGIES INC., a 


San Carlos, Calif., maker of 
labeling products for the 
printing industry, is finding 
out the hard way just how 


tough it can sometimes be to 
eM RUE mgs a0 


geen ucm um item 


In May, the company set up 


a small software develop- 
ment center in Mumbai. 


Among the approximately 20 
people it hired in the western 
ie Mela MU ee tne 


eT mV EMU Reet LN mY Et 


Pr MERI EU el 
TCM MINAS creme (3 


to the security and privacy of 
data that could be remotely 
accessed as part of IT applica- 
tion development, testing or 

| [business process outsourc- 
ing],” said Rusi Brij, CEO of 
Hexaware Technologies Ltd., 
a Mumbai-based service pro- 
vider with facilities in Banga- 
lore. “They are demanding 
documented, auditable proce- 
dural controls.” 

Regulatory compliance is 
what’s driving much of the 
need for such measures, agreed 
Ram Mouli, vice president of 
technology planning and de- 
velopment at T. Rowe Price 
Group Inc. The Baltimore- 
based investment manage- 
ment firm, which manages as- 
sets worth more than $206 bil- 
lion, has outsourced several 
application development proj- 
ects to India. 

“New regulations from the 
SEC and other regulatory 
agencies have created a need 
for several internal controls 
for application development, 
change control and mainte- 
nance,” Mouli said. “These 
controls have to be extended 
offshore and monitored.” 

The result is “tremendous 
scrutiny right now on data se- 
curity, access controls and pri- 
vacy” related to offshore work, 
said the chief technology offi- 
cer of a Chicago-based service 
provider for the financial in- 
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account. 


BUM uEU MCU uTlice 


the theft, was immediately 
SiTCeMe UT Meelis e Un MTC 
TOM Tm CMU ual er-T mere) [te 
OCU ane lam 
said Brett Changus, Jolly’s 
chief financial officer. 
meric am Urey 
pretty much where things 


last week. “The police there 
Flr mM MIC LUI i Mirae} 
Tumeur mu UIT 1 
eee UM ml lal aL a 
to us.” 


to her Yahoo personal e-mail 


| 





are, even now,” Changus said 


The ability for 

employees to 
carry data out of the 
facility is minimized 
to what they can 
carry in their heads. 


SUNIL GUJRAL, VICE PRESIDENT OF 
TECHNOLOGY, WIPRO SPECTRAMIND 


dustry who spoke on condi- 
tion of anonymity. “Some of 
our customers have asked us 
to fill out extraordinarily de- 
tailed questionnaires in which 
they ask us to attest to our se- 
curity controls so they in turn 
can include that in their com- 
pliance documents,” he said. 
The trend is resulting in a 
much greater focus by both 
U.S. companies and their Indi- 
an vendors on issues such as 
security certifications and 


| audits, identity management 


and application provisioning, 
and on detailed event logging 
and monitoring activities (see 
“Security Checklist,” page 7). 
There’s no question that se- 
curity expectations have risen 
sharply, said S. Gopalakrish- 
nan, chief operating officer at 
Bangalore-based Infosys Tech- 
nologies Ltd., one of India’s 
largest IT services vendors, 
with revenue of more than 


As a result, more than a 
month after the complaint 
was filed, no. action has been 
taken against the woman, 
Ee oer OME Geer 
the company earlier this 
month decided to file a law- 
suit against the Mumbai po- 
lice department over its al- 
leged failure to take action in 
the case. 

ice am eerie 
laws there, but so far, we 
have received zero protec- 
tion,” Changus said. 

BUM leere emote) 
not be reached for comment. 
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Wipro, prohibits employees 


| from carrying mobile phones 


| work areas. “ 


or pens and paper to their 
The ability for 
employees to carry data out 
of the facility is minimized to 
what they can carry in their 
heads,” said Sunil Gujral, vice 


| president of technology. 





IR Mu ce mur menicul lenis] 


aU A em rem lrles em ie oe 


$1 billion. “It’s become a lot 
more explicit now. We’ve had 
to improve on and formalize a 
lot of things” from a data secu- 
rity standpoint, he said. 

One example is a backup 
storage site that Infosys recent- 
ly established outside India in 
nearby Mauritius. All client 
backup tapes are shipped 
weekly to the site as a precau- 
tion. In addition, each client 


cautions we could. But if we _ 
can't protect our IP, there is 
no way we can do business 
there,” he said. “People have 
to know that they just can’t 
steal confidential information 
and get away with it,” 

Aleem PMR Ce-UeCcmel art Ui1P 2. oe 
Tew Cm Oli eerie) 
National Association of Soft- 
ware and Service Companies 
(Nasscom), is acutely aware 
that the country’s flourishing 
MDa met em emer lure 
if data protection can’t be 
enim 

BRCM Creme ty 
launched an education cam- 
paign aimed at judicial and 
police authorities as well as 
the ministries of IT and law, 


, association vice president 


| ability to view [our] data,” 
Chris Larsen, CEO of E-Loan 


As with other BPO outfits 
and many IT development 


| shops, at Spectramind, any 


ports and devices that can be 
used to store or copy data are 
disabled on all PCs and note- 
books that employees might 


| need to use to deliver services 


for U.S. clients. A majority of 
its call center agents access 
customer systems via bare- 
bones Citrix Systems Inc. ter- 
minals that provide no avenue 
for data to be stored or copied. 
“[Spectramind] only has the 
said 


Inc., a Pleasanton, Calif.-based 


| online provider of consumer 


| has been assigned a standby 
| backup facility in an alternate 
location, Gopalakrishnan said. 
Indian business process out- 
| sourcing (BPO) companies, 
| which typically handle a lot 
| more sensitive information 
when servicing their clients 
| than pure IT development 
shops, take extra precautions. 
Wipro Spectramind, a $95 
| million BPO subsidiary of 


Sunil Mehta said. The idea is 
PG Mayle Milam gsr lel og 
EVE Mm Ut t mOog 
enacting legislation that can 
be-more easily enforced: 

Nasscom is also working 
UM Emel ccm Cmte) 
GEE rm Eat emer TA) 
use to more quickly and reli- 
ably verify an employee's 
gry earl melee lee 
other background informa- 
Ue aer lm 

The global database will be 
MOM melt 
PERS MM UI em tL T 
won't be used as an instru- 
ment for blacklisting employ- 
ees, he said. 

- Jaikumar Vijayan 





loans that has outsourced a 
portion of its back-office 
home-equity underwriting 
functions to Spectramind. 
“They do not have the ability 
to store, share, print or retain 
data in their India-based com- 


| puters and systems.” 


E-Loan also uses a variety of 
technologies from companies 


| such as Tripwire Inc. and 


open-source tools like Nagios 


to monitor and log activity at 


Spectramind, Larsen added. 


| Ongoing Risks 


Despite the measures to bol- 
ster security, the relative 


| dearth of security profession- 


als in India, the breakneck 
growth of its IT industry and 
an onerous legal system con- 
tinue to pose risks that must 
not be overlooked, cautioned 
Samir Kapuria, an analyst at 
@stake Inc., a Cambridge, 
Mass.-based consultancy. 
Much of the growth in Indi- 
an IT jobs over the past few 


years has been in areas such as | 


application development and 
maintenance, rather than ina 
“niche job” such as IT securi- 
ty, Kapuria noted. 

On paper at least, India has 


| several laws that cover data se- 


curity and privacy issues. The 


most prominent one is the In- 


dian Information Technology 





Act of 2000, which makes 

the unauthorized use of data 

a punishable offense. But time- 
ly enforcement of such laws 
could prove difficult, given the 
excruciatingly slow pace of the 
country’s legal system. That 
poses a significant threat from 


| an intellectual property protec- 


tion standpoint, Kapuria said. 

Moreover, the distance fac- 
tor can help conceal risky prac- 
tices, especially when dealing 
with smaller firms. For exam- 
ple, a fast-growing BPO com- 
pany that was recently moving 
to a larger facility decided to 
move some of its servers to a 
nearby Internet cafe, where it 
connected to its U.S. clients, 
because of a delay in the open 
ing of its new facility. 

And although the practice 
appears to be rare, Indian firms 
have been known to subcon- 
tract work out to companies in 
other countries without the 
knowledge of the U.S. client 
and with none of the security 
measures that might have been 
originaily agreed upon. 

But the reputable providers 
appear to have gotten the se- 
curity message from their 
clients. It’s no longer enough 
for Indian companies to “sim- 
ply say they are addressing 
the issue,” Gopalakrishnan 
acknowledged. “They’ve got 
to be able to show how they 


are addressing it.” @ 49098 


MORE ONLINE 


For related news, visit our Offshore 
Outsourcing special coverage page 
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security 
Checklist 


= REQUIRE Indian vendors 
to have their development 
centers audited by estab- 
lished firms or be certified 
under international data se- 
curity and audit standards 
such as BS7799 or SAS70. 
Many companies also re- 
serve the right to do spot 
audits and checks. 


= ENSURE the use of encryp- 
tion, firewalls and intrusion- 
detection systems to deal 
with malicious attacks. To 
watch for insider threats, 
companies have begun 
mandating content-filtering 
tools and event logging and 
monitoring technologies on 
the networks connecting 
U.S. clients with their indian 
providers. 


= CONDUCT rigorous back- 
ground checks on employ- 
ees and require them to 
sign confidentiality agree- 
ments prohibiting the dis- 
closure of proprietary infor- 
mation when they leave the 
company. 


= FOCUS on physical secu- 
rity and access-control sys- 
tems, business continuity 
and disaster recoverability. 
Many companies insist on 
off-site storage and alter- 
nate sites. 


RO, a fortified physical perimeter is complemented by an invisi- 
ble eel more of intrusion-detection.systems, firewalls and encryption. 
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Overcoming the 
Piracy Stigma in China 


PROVIDERS ‘OVERCOMPENSATE’ FOR THE RISK. BY SUMNER LEMON SHANGH: 


vil v H 
intellectual property protec- 
tion stems largely from the 
widespread availability of pi- 
rated DVD movies and soft- 

| ware. Last month, the Business 
Software Alliance in Washing- 
ton estimated that 92% of soft- 
ware used in China during 
2003 was unlicensed and ille- 
gal. That figure tied the coun- 
try with Vietnam for the dubi- 
ous distinction of having the 
world’s highest piracy rate. 
But a high piracy rate for 
packaged applications doesn’t 
inherently place outsourced 
software development proj- 
ects at risk, said Chen Ling- 
sheng, vice president of 
greater China at BearingPoint 
Inc., calling security concerns 
in China overblown. Out- 
| sourcing projects to compa- 
nies in China can be as secure 
as it is anywhere else, he said. 

“We had a major financial 

| client from the U.S. come over 

| here to do a security audit be- 

| fore they would give us a proj- 
ect, and we passed the audit,” 
Chen said, noting that Bear- 
ingPoint follows the same se- 
curity procedures in China 

| that it uses in the U.S. 

In addition to conducting 
security audits, those proce- 
dures include strictly enforc- 
ing nondisclosure agreements 

| and restricting development 
work to facilities that require a 
| keycard for access. 

BearingPoint and other out- 
sourcing service providers in 
China are willing to go even 
further to meet their cus- 

| tomers’ security demands. For 
| example, BearingPoint devel- 

| opers have access only to code | 
| and project documentation. 

“As an outsourcing service | 

| provider, we take it very seri- 
| ously to protect our clients’ 


ALK into the access- 
controlled room full of 
software developers at 
Bleum Inc.’s headquar- 
ters here and you can’t miss 
the slogan written in large 
blue and black letters that 
stretches across the far wall: 
“Protect our customer.” 

The message is there to 
serve as a constant reminder 
for Bleum’s team of English- 
speaking software engineers 
of the importance of keeping 
clients’ software code secure, 
said Eric Rongley, the out- 
sourcing service provider's 
founder and CEO. 

Concerns about the protec- | 
tion of intellectual property 
and proprietary corporate 
data are hardly unique to Chi- 
na. But the security risks are 
greater here than in locations 
such as India or Eastern Eu- 
rope, Rongley said. “It’s defi- 
nitely in the interests of a 
company here to overcompen- 
sate for it,” he said. 

China’s poor reputation for 


secrets and business data,” 
said Walter Fang, group vice 
president and chief technolo- 
gy officer at Neusoft Group 
Ltd., a Chinese software com- 
pany based in the northeast- 
ern city of Shenyang. Neusoft 
employs 1,500 developers who 
work on outsourcing projects 
at several locations in China. 
Neusoft allocates separate 
buildings for major clients 
such as Toshiba Corp. and 
Alpine Electronics Inc., and it 
restricts access to the build- 
ings to staff working with 
those companies, Fang said. 
On-site offices are available 
to each client’s project man- 
agers, and Neusoft can pro- 
vide them with individual 


sourced development projects, 
BearingPoint has offered to in- 
stall video cameras to monitor 
work in project rooms at its 
facilities in Shanghai and the 
northeastern Chinese city of 
Dalian, Chen said. 

At Bleum’s highest level of 
security, Rongley said, the 
company offers a “shadow 


| group” of developers who are 
| given financial incentives to 
| uncover vulnerabilities in soft- 


ware developed by the lead 


development team. 


The shadow developers ex- 


amine the code for security 


holes such as back doors or 
opportunities for buffer over- 
flows that would allow attack- 
ers to run executable code. 


~ SS 


N on the wall at Bleum Inc. in Shanghai. 


Fla emis eset me emma ull am MCs 
in Shanghai have access only to code and project documentation. 


phone lines rather than com- 
pany extensions, he said 
Aside from physical securi- 
ty measures, Fang said foreign 
companies can build effective 
legal protections into their 
contracts with outsourcing 
providers in China. For exam- 
ple, Neusoft’s contracts with 
its Japanese clients are typi- 
cally designed to be enforce- 
able in both Japan and China 


| while offering an avenue for 
| arbitration with a third party 
under Hong Kong law, he said. 


For companies that want 
to keep a closer eye on out- 





While these and other mea- 
sures may help to guarantee 
the security of a customer’s 
code and data, the best way 
to improve intellectual prop- 
erty protection in China is 
to change cultural attitudes, 
according to Rongley. He 
noted that service providers 
can advance the cause through 
training sessions and staff 
meetings. 

And even siogans on the 


wall. @ 49092 


Lemon is the IDG News Service 
correspondent in Taipei. 
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Toronto, Ontario, Canada AT AN EMC Forum, SEE HOW TODAY’S STORAGE AND INFORMATION MANAGEMENT 
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Boston, September 21 value of information, at the lowest total cost of ownership, at every point in its lifecycle. 
Minneapolis, October 5 
Sao Paulo, Brazil In-depth presentations, EMC aid industry experts, best-practice reviews, and breakout and 
October 5 Q&A sessions give you insights on how to: 


Attendance is FREE, but e Simplify Exchange & Oracle migrations e Gait measurable TCO savings 
Cyr) ecm Cre Med Cm e Align data value to business needs e Meet compliance regulations 
e Simplify storage management e And much more 
EIN 
ee ee See up-to-date seminar-details, agendas, and more.on our regi&tration site. 
HQ BROCADE Register now at www.EMC.com/forumseries. 
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Storage Subsystem 
Out of Longhorn 


Microsoft Corp. announced Friday 
a change in pians for the next ma- 
jor release of Windows, which is 
code-named Longhorn. The new 
Windows storage subsystem, 


code-named WinFS, won't be part | 


of the Longhorn client, as previ- 
ously planned. Microsoft said 
WinFS will be delivered after the 
Longhorn release. The company 
said the Longhorn client is target- 
ed for generally availability in 
2006. It said it expects the Long- 


horn server release to be available | 


in 2007. 


Cisco Warns of 
Two Security Flaws 


Cisco Systems Inc. last week 
warned about security holes in 
two products that provide user 
authentication and authorization 


services: the Cisco Secure Access | 


Controj Server for Windows, and 
the Cisco Secure Access Control 


Server Solution Engine. Gisco rec- | 


ommended that customers with 
service contracts obtain the up- 





dates using the Cisco Product Up- | 


grade Tool or by contacting its 
Technical Assistance Center. 


Oracle Again Moves 
Offer for PeopleSoft 


Oracle Corp. on Thursday filed an- | 


other extension in its hostile $7.7 
billion bid to acquire PeopleSoft 
Inc., this time pushing the dead- 
line ahead two weeks to Sept. 10. 


Oracle said it now has 21.7 million 


tendered shares - 6% of People- 
Soft’s outstanding total. 


< Teas WEEDS. 


U.K. Agency Adopts 


Sun’s Java Desktop 


The U.K.’s National Health Ser- 
vice last week said it purchased 
5,000 licenses for Sun Microsys- 
tems Inc.’s Java Desktop System 


as an alternative to Windows. The | 


NHS is spending $9 billion to up- 
grade its IT infrastructure. It be- 
gan evaluating the use of Sun’s 
open-source desktop system in 
December. 


| 


C ONTHEMARK 


Ways to Steal. . . 

. . . critical corporate information. So warns Gartner Inc. 
in a report detailing how data crooks can use port- 

able music players like Apple Computer Inc.’s iPod 

to rob you blind [QuickLink 47983]. Vladimir Cher- 
navsky, CEO of AdvancedForce InfoSecurity Inc. in 
San Ramon, Calif., amplifies that concern by includ- 
ing Bluetooth devices, floppy disks, CDs and virtu- 


ally anything that can store 
data and use a pair of legs to 


leave the premises. “Someone | 


carrying a hard drive out of a 
building would be suspicious, 
but carrying an iPod is not,” 
he observes. “Now everyone 
is potentially James Bond.” As 
you would expect, Chernav- 
sky has a solution: Device- 
Lock. His company has the 
exclusive North American 
rights to sell the software 
from its Russian authors at 
SmartLine Inc. DeviceLock 

is designed to prevent data 
from being written to any 
device type. But it’s flexible 
enough that you can, for ex- 
ample, permit Universal Seri- 
al Bus keyboards to be used, 
but not USB storage systems. 
A new release coming in 
November will let you cen- 
trally log the files that you do 
permit to be written to a mo- 
bile device, so you'll know 
whether an executive is up- 
dating his Bluetooth unit’s 
contact list or downloading 
your entire customer file. It 


| runs $35 for a single license, 
but that price can fall to less 
than $7 when you get 1,000 or 
| more licenses. Think of it as a 
little something from Russia 
with love. 


Kill Spam Before. . . 
..- it reaches 
your network. 
That’s the 
wisdom from 
Scott Petry, 
chief technol- 
ogy officer 
and founder 
of Postini 
Inc. in Red- 
wood City, 
Calif. He 
claims that his service stops 
50% of the 400 million 
e-mails destined for his cus- 
tomers’ networks every day, 
because they’re spam. “If 
you're blocking them at your 
gateway, it’s much more ex- 
pensive,” he says. He argues 
that service providers such 
as Postini are more efficient 
because they can see “the 


aaa tia ees ah) 
ee ee! 
the best way to 
stop spam. 








SMTP conversation” on the 
Internet and quickly identify 
and remove spam- and virus- 
laden messages. Petry says 
privately held Postini is prof- 
itable, growing at close to 
180% this year and looking to 
acquire companies in what he 


| expects will be a rapidly con- 


solidating market over the 
next year. 


Event-Driven Data 


| Gets Pushed... 


. .. to users’ screens with publish- 
and-subscribe tool. KnowNow 3 
from KnowNow Inc. in Sun- 
nyvale, Calif., eliminates the 
need for end users to request 
reports on data generated 
across the HTTP-based net- 
works. The server software 
“dual posts” requested data 
and immediately directs it to 
a user’s screen or to an appli- 
cation. For example, upon 
completing an online form, a 
Web visitor can be instantly 
sent to an available customer 
service agent, or sales data 
entered in an ERP system can 
be immediately sent to a sales 
executive’s desktop spread- 
sheet. Version 3, which ships 
at the end of next month, in- 


| cludes a new module for Mi- 


crosoft SharePoint systems, 
more granular event filtering 
and added database support. 
Pricing starts at $15,000. 


Tech Support 


Goes Remote. . . 

. .. With a hosted service from 
Citrix Systems Inc. GoToAssist 
6.0, which is set for release on 
Sept. 14, lets your technical 
service reps remotely view 
and control the PCs of end 
users who are baffled by the 
behavior of their Windows 
machines. The upgrade in- 
cludes nifty improvements 
such as giving technicians the 
ability to remotely reboot a 
machine and then retain the 


Monthly user 
support sessions 
handled by Citrix 
GoToAssist. 
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HOT TECHNOLOGY TRENDS, NEW PRODUCT 
NEWS AND INDUSTRY GOSSIP BY MARK HALL 


link to the user’s PC after the 
restart in case the problem 
persists. There’s no need for 
the troubled end user to have 
client software, so customer 
support can be handled on an 
ad hoc basis. Each session is 
128-bit encrypted for secure 
communications. The service 
works for both desktops and 
servers, and Citrix is planning 
Linux and Unix support in 
the coming months. Pricing 
starts at $325 per month per 
tech-support agent, with a 
one-time start-up charge of 
$700. There are no session 
fees or end-user time limits 
for the GoToAssist service. 


Forget Centralized 


Directory Efforts . . . 
they’re 
doomed. 
There are 
just too 
many 
sources with 
too many 
methods and 
schemas 
scattered 
throughout 
your compa- 
ny to get under control. So, 
should you just give up? 
Maybe not. Michel Prompt, 
CEO of Radiant Logic Inc. in 
Novato, Calif., claims that a 
virtual directory is the solu- 
tion. “Trying to centralize 
and create the iiberdirectory 
has been a big failure,” he 
says. “But virtualization 
works.” In effect, your users 
query the virtual directory, 
which handles the protocol 
and other differences among 
the various directories linked 
to it. Radiant One 4.0, which 
ships this week, can even vir- 
tualize Web services. By Oc- 
tober, when 4.1 ships, Radiant 
will release federated securi- 
ty services that will authenti- 
cate users and their rights 
across multiple directories. 
Expect to pay about $50,000 
to sidestep nonvirtual doom. 


@ 49095 
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| There is no one, 
| single solution — 
to security. 


But there is one 
source for ongoing 
security guidance. 


Go to the Security Guidance Center at microsoft.com/security/IT 
to see the newest additions, including: 


Microsoft® Windows” XP Service Pack 2 Download and evaluate the latest updates for 
increased system control and proactive protection against security threats 


Free Online Self Assessment Complete this free, Web-based self assessment to help 
you evaluate your organization's security practices, and indentify areas for improvement. 


Free Updates and E-mail Alerts Stay on top of the latest security issues quickly and 
easily by signing up for free Microsoft Security Communications. 


Free Security Tools React more effectively to potential security threats. Take advantage of 
free tools and technologies like the Microsoft Baseline Security Analyzer and Software Update Services 


Visit the Security Guidance Center regularly for the latest security developments. It's continually updated 
so you can find the tools and training you need to help better protect your company, all at one centralized 
resource. For proactive protection and ongoing guidance, visit microsoft.com/security/IT today 


Microsoft: 


© 2004 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft 
Corporation in the United States and/or other countries. 
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HP’s Virus Throttler 
Service Is Shelved 


Six months after unveiling tech- 
nology designed to choke off 

the spread of viruses, Hewlett- 
Packard Co. is shelving the proj- 
ect. The company won't be re- 
leasing a security service called 
Virus Throttler because it requires 
operating system changes that 
are incompatible with Windows, 
HP said last week. 


Cisco to F Purchase 
P-Cube for $200M 


Cisco Systems Inc. said last week 
it has agreed to acquire Sunny- 
vale, Calif.-based software devel- 
oper P-Cube Inc. in a deal that 
Cisco valued at $200 million. 
Cisco plans to continue selling 
P-Cube’s software, which helps 
service providers analyze and 
contro! network traffic, as stand- 
alone products. The company said 
it will also work on incorporating 
the technology into its own hard- 
ware and software. 


U.S. Forest Service 
To Cut 500 IT Jobs 


The U.S. Department of Agricul- 
ture Forest Service is cutting the 
equivalent of 500 full-time IT jobs 
in a reorganization of its IT de- 
partment. Forest Service empioy- 
ees won a competitive sourcing 
contract to manage the IT depart- 
ment. The workers had bid against 
undisclosed private companies for 
the contract, which is valued at 
$295 million. The Forest Service 
expects to save approximately 
$100 million over the five years 
the agreement is in place. 


Short Takes 


The U.S. POSTAL SERVICE signed 
a $35 million contract with SAP 
AMERICA INC. for a Web-based 
human resources application. . . . 
MICROSOFT CORP. said it has fin- 
ished work on Microsoft Opera- 
tions Manager 2005, a major up- 
date to its MOM 2000 perfor- 
mance management software. 


| 
| 
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SEC Deadline Dela 


Signals Sarb- Ox Re ief 


Should help ease 


| transition to new 


reporting mandates _| 


BY THOMAS HOFFMAN 
HE U.S. SECURITIES and 
Exchange Commis- 
sion last week an- 
nounced that it will 


| delay an accelerated filing peri- 


od for annual reports — a move 
expected to help big companies 
transition more easily to year- 
end reporting requirements 
under the Sarbanes-Oxley Act. 

In 2002, the SEC made a 
change to the Securities Ex- 
change Act of 1934 that short- 
ened the amount of time com- 
panies would have to file their 
quarterly and annual reports 
after the end of a fiscal period. 

The filing requirements for 
companies with a market capi- 
talization of $75 million or 
more shrank from 90 days 
within the close of a business 
cycle to 75 days this year. It 
was scheduled to be cut to 60 
days next year. 

But sources close to the is- 
sue said the SEC was being 


What FS one 


What it WLLL 


pressured by big accounting 

firms to maintain the 75-day fil- 

| ing requirement for one more 

| year to help big companies 
make their first transition to a 
year-end Sarbanes-Oxley dead- 
line. Under the SEC proposal 

| issued last week, the current 

deadline for so-called accel- 





erated filers would remain at 75 | 
| The nation’s Big Four account- 
| ing firms recently asked the 
| SEC “that they not push [the 


| days for annual reports and 40 
days for quarterly reports. The 

| accelerated-filing phase-in pe- 

| riod would resume for reports 

| filed for fiscal years ending on 

| or after Dec. 15, 2005. SEC reg- 
istrants have 30 days to com- 

| ment on the proposal. 


Regulatory Demands Put Spotlight 
On Asset Management Practices 


Bresler & Reiner inc. has found 
itself placing a lot more emphasis 
on IT asset management prac- 
tices as a result of pressing regu- 
latory compliance demands. 

Earlier this year, the Rockville, 
Md.-based real estate investment 
trust installed an industry-specif- 
ic accounting software package 
that's used by its various proper- 
ty management companies. 
The package was supplied by 
Beaverton, Ore.-based Timber- 
line Software Corp., said Eric 
Clarke, Bresler & Reiner’s inter- 
nal audit director. 

To help meet regulatory re- 
quirements such as the Sar- 


banes-Oxley Act, “we want to 
make sure financial information 
on our software and servers is 
adequately safeguarded and that 
we have an adequate disaster 
recovery plan in place for each 
site,” Clarke said. 

Indeed, regulatory require- 
ments are forcing IT managers to 
track their IT assets more closely, 
said Jane Disbrow, an analyst at 
Gartner Inc. “If you don’t know 
where all your laptops and soft- 
ware are located, how can you 
tell regulatory bodies that cus- 
tomer information is being kept 
private?” she said. 

IT asset management con- 


Under Section 404 of the 
Sarbanes-Oxley Act of 2002, 


| large companies must docu- 


ment in their annual reports 
the financial and IT controls 
they have in place for fiscal 


| years that end on or after 
| Nov. 15, 2004. 


Big Four Weigh In 


filing requirement] to 60 days, 
at least for the moment, to 


| help companies deal with 
| these current pressures,” said 


Marios Damianides, interna- 


eg bee 
eS 


cerns are just making their way 
onto Zebra Technologies Corp.'s 
regulatory radar screen. IT asset 
management “is something that 
is on our Sarb-Ox list a month 
or so into the future,” said Todd 
Naughton, vice president and 
controller at the print compo- 
nents supplier in Vernon Hills, lll. 
Sarbanes-Oxley is having a 
two-pronged affect on IT asset 
management practices. Under 
Section 404 of the act, compa- 
nies are required to attest to the 
internal controls that are used for 
financial reporting. These include 
IT-related controls that firms have 
in place to effectively track and 
monitor hardware, plus software 
used to support financial report- 
ing. Companies are also required 
under Sarbanes-Oxley to dis- 





tional president of the Infor- 
mation Systems Audit and 
Control Association and the 
Information Technology Gov- 
ernance Institute, both in 
Rolling Meadows, III. 

For the past few weeks, ru- 
mors have been swirling that 
the SEC might extend the 
deadline for public companies 
to meet Section 404 require- 
ments. But sources said those 
rumors are unfounded and 
were based on misinterpreta- 
tions of recent comments 
made by SEC officials; Section 
404 enforcement delays aren’t 
anticipated. An SEC spokes- 
man declined to comment. 

“(The SEC has] already 


| postponed Section 404 dead- 


lines twice. If they keep back- 
ing down and do it a third 
time, people are going to ques- 
tion their credibility,” said Tim 
Welu, CEO of Paisley Consult- 
ing Inc., a company in Cokato, 
Minn., that develops software 
for managing audits of both IT 


| and financial controls. 


“T think they’d only extend 
the accelerated filing period,” 
said Eric Clarke, internal audit 
director at Bresler & Reiner 
Inc., a Rockville, Md.-based 
real estate investment trust. 
“If they keep extending the 


| deadline for meeting Section 
404 requirements, it won’t do 
| anything for investor confi- 


dence.” @ 49101 


close to regulators all material 
financial exposures they have, 
including IT equipment leases 
and licensing agreements, which 
have to be tracked closely. 

A soon-to-be-published sur- 
vey of 220 IT decision-makers 
by Boston-based AMR Research 
Inc. found that companies that 
consider regulatory compliance 
the top business issue affecting 
their security spending cite the 
need to invest in auditing and 
asset-tracking tools as their 
No. 1 security budget priority. 

- Thomas Hoffman 


For additional information, visit our 
special coverage page: 
QuickLink a3250 
www.computerworld.com 
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Legacy Army Payroll Systems 
Buckle Under Weight of War 


GAO audit finds that 95% of 348 active 
reservists have had problems with pay 


BY MARC L. SONGINI 

The war in Iraq has helped 
push antiquated U.S. Army 
payroll systems past their 


DJMS-RC. And because of the 


| DJMS-RC’s computational 


breaking point, leading to wide- | 


spread problems for reservists, 
according to a U.S. Govern- 
ment Accountability Office 
report issued this month. 

So severe are the problems 
caused by the aging, stand- 
alone Cobol-based mainframe 
systems that the GAO audit 
found that 95% of 348 mobi- 
lized reserve soldiers had at 
least one payroll problem. The 
glitches included both over- 
payments and underpayments, 
as well as delayed disburse- 
ments. Some troops had nu- 
merous payroll problems, and 
it took more than a year to 
correct some of them. 

Both the system itself, 
called the Defense Joint Mili- 
tary Pay System-Reserve 
Component (DJMS-RC), and 
the attendant human process- 
es are “so error-prone, cum- 
bersome and complex” that 
the soldiers affected can’t be 
assured of timely and accurate 
payment for duty served, said 
the GAO study. The result has 
been a “profound adverse af- 
fect on individual soldiers and 
their families,” it said. 


System Limitations 
One major weakness stems 
from a lack of integration be- 
tween the DJMS-RC and relat- 
ed U.S. Army personnel appli- 
cations. The payment system 
was also hampered by proc- 
essing limitations, requiring 
“significant manual effort” to 
make up for the shortcomings. 
The GAO cited one case in 
which a soldier received an 
overpayment of $24,000 when 
a revocation of his mobiliza- 
tion status wasn’t automatical- 
ly reported to the payroll sys- 
tem due to the gaps between 
the personnel system and the 


limits, accounting for vari- 


quires manual input. 
The Defense Finance and 


Accounting Service (DFAS), 
| which oversees the DJMS-RC, 


has acknowledged that the 


| system is “aging, unrespon- 


sive, fragile and a major im- 
pediment to efficient and 


| high-quality customer ser- 


vice,” according to the GAO. 


| Increased Risk of Error 
A DFAS spokesman said the 


DJMS-RC’s limitations were 


exacerbated by the war in 


Iraq; prior to the war, the sys- 


| tem primarily handled pay for 
| drilling exercises and not for 


the 12- or 18-month deploy- 


| ables such as hardship duty re- | 


ments now taking place in the 
Middle East. “Anytime a sys- 
tem requires human interven- 
tion, you increase the risk,” 
the spokesman said. 
Acknowledging the system’s 
limitations, the Defense De- 
partment has launched a train- 
ing program for support per- 
sonnel and is rolling out an im- 
proved payroll system based 


| on PeopleSoft Inc.’s PeopleSoft 


Enterprise, which will begin to 


| go live next spring. 


Once in place, the applica- 


| tion will integrate the pay 
| processes for reservists and 


active Army personnel and 


| end the need for manual work- 


arounds while improving sta- 


| bility and eliminating many of 


the problems identified by the 
GAO, said the spokesman. 
That system will later be 


| phased out in favor of the larg- 


er Defense Integrated Military 
Human Resources Systems 


COMPUTERWORLD August 30,2008 10 


SATEEN SE 
MILITARY PAY é 


Army Reserve Soldiers Mobilized to ; 
Active Duty Experienced Significant Pay © 


Problems 


E 


What GAO Found 


In light of GAO's November 2008 


The processes and automated systems relied on to provide active duty pays. / 


allowances. and tax benefits to mobilized Army Reserve solders are 30 
error prone, cumbersome, and complex that netther DOD sor. more 
importantly. Army Reserve soldiers themselves, could be reasonably assured! 


of umely and accurate payments. Weaknesses in these areas resulted in pay = 
problems, including overpayments, and to a besmer extent, late and f 


§ 


“ 


anderpayments. of soldiers’ active duty pays and allowances ai eight Army 7 
Reserve case study anita Specifically, 252 of 348 soldiers (95 p 
audited at eight case stady anits that were mobilized. deployed, 


band 

GAO's adit used a case stixty 
approach to focus on controls over 
three key areas processes people 
(homan capital). and artomated 
Syste 


GAO fs reiterating 5 


demobilized at some ume during the 1S-month penod from 
throagh January 304 had at least one pay probleta 


Poy Expenerces x Exgit Army Reserve Case Santy Units 
Army Reserve ume - 


ager 


System problems have left many soldiers 


aot 


ee 


without paychecks, this GAO report says. 


| (DIMHRS), which was first 


announced in August 2001 and 
is also built on PeopleSoft 
{QuickLink 24940]. Eventually, 


| the human resources and pay- 
| roll applications will function 


as a single integrated system, 


| although progress on the 


DIMHRS implementation has 


| been slow [QuickLink 41815]. 


While “significant design 
work has been completed” on 
the DIMHRS project, exten- 
sive testing will be required 
before implementation can be- 


TSA Readies Security Systems Rollout 


BY DAN VERTON 
WASHINGTON 


| The Transportation Security 

| Administration last week an- 
| nounced a series of pilot tests 
| of IT-based programs to bol- 


ster airport security. And TSA 


| Administrator David M. Stone 


said the agency is only “days 
or weeks” away from deploy- 
ing a revamped version of its 


| controversial passenger- 
| screening system. 


The TSA selected two addi- 


| tional airports — the Norman 
| Y. Mineta San Jose Interna- 


| 
j 
| 
| 
| 


| 
| 
| 
| 


tional Airport and the Helena 
Regional Airport in Montana 
— to participate in its Access 
Control pilot program. That 
brings the total number of air- 
ports in the program, which 
began in April, to 10. 

The pilot program will test 
a wide range of technologies, 
including radio frequency 
identification (RFID) systems, 
antipiggybacking systems, ad- 


vanced video surveillance 
technology and various bio- 


| metric systems. The goal of 


the tests, which will run 
through the end of the year, is 
to identify technologies that 


| allow only authorized airport 


personnel and vehicles to ac- 


| cess secure areas of an airport. 


The announcement was 
welcomed by members of 


| Congress, who expressed frus- 
| tration with the pace of tech- 


A PASSENGER is screened at a boarding gate 
Pia Ue CUr ele ad 


nology efforts to support 
homeland security. At a hear- 
ing of the House Transporta- 
tion and Infrastructure avia- 
tion subcommittee last week, 


| lawmakers urged Stone not to 


let a desire to find the perfect 
technology delay the deploy- 
ment of something that is 
“good enough” for now. 

Some lawmakers and airline 
industry executives argued 
that TSA programs have been 

hindered by a 
lack of standards 
for biometric 
technologies and 
a government bu- 
reaucracy that 
remains inca- 
pable of sharing 
information and 
setting priorities 
three years after 
i the Sept. ll, 2001, 
i terrorist attacks. 

“Many airports 

are willing to de- 


gin, said Norma St. Claire, a 
DOD director of joint require- 
ments and integration. De- 
ployment to the Army, the 
first branch to go online, will 
start in the first quarter of 
2006, she said. St. Claire added 
that while the DOD wants the 
software to be as “vanilla” as 
possible, “sometimes there are 
mission requirements that are 
not supported by the commer- 
cial product, and a few mod- 
ifications will be needed.” 


@ 49108 


ploy biometric technologies 
but are reluctant to do so until 
the Department of Homeland 
Security issues guidance and 
makes clear what types of bio- 
metric systems will meet its 
standards in the future,” said 
Rep. John Mica (R-Fla.), chair- 
man of the House Aviation 
subcommittee. “Someone at 
DHS just needs to make a de- 
cision, and the rest will fall 
into place.” 

Capt. Duane Woerth, presi- 
dent of the Air Line Pilots As- 
sociation, said that when his 
organization began working 
with the IT industry and the 
government to establish a bio- 
metric standard, it expected 
the effort to take about six 
months. 

“Every airline employee 
{had his] background checked 
and was fingerprinted three 
years ago,” said Woerth. 
“Three years later, we don’t 
have anything. Three years 
later, we’re told we might 
have a pilot program. That’s 
unacceptable.” @ 49109 
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ed effort in the banking indus- 


, ; | try togetabetterhandleon —_|°_@ Banks are increasingly using higher levels of automation to mini- 
age networking environments. | risk management spending at mize recovery complexity. 
Firms were asked what re-__| the operational level.” oe Oe ee ee ee ae a ee eee 
@ Market dynam demandi large firms provide faster 
covery strategies they use, | Charles Wollmen, manag- | recovery sasdiibienat teat ee leaeelahs. 


what they consider to be best ing executive director of the ae caer eee eee 
practices and what cost/risk | FSTC’s business continuity jz & Financial firms are increasingly integrating technology recovery 
trade-offs and regulations are standing committee, said there |; capabilities into systems, 
driving their strategies. They | were several revelations from @ Banks are giving increased consideration to large-scale disasters 
were also asked what invest- | the project. For example, and are mitigating risks with multiple, wide-area recovery locations. 
ments in disaster recovery | banks said they are more ~ 1 Banks are moving toward internal recovery centers and away 
they will make in the next year. | tightly integrating recovery : from third-party recovery centers. 

For security reasons, the | activities intoIT systems de-  |% 


Continued from page 1 | increase of 17% a year,” Garcia ” p z ar 
. said. “There’s a very concert- s roject Findings 
Disaster Plans | Bh : 


DL 


banks were unwilling to share | signandincorporatingthem | tape backups and choosing The companies all said they 
specific strategies publicly, | into day-to-day production disk-to-disk mirroring of data want to spread their primary 

| practices. Companies are also over wide geographic areas. and backup data centers far- 

| Firms also said they’re mov- | ther apart to deal with region- 
| ing toward internal bunker | al power outages. “Having the 





but Baumann saidacommon | 
concern was the need to finda | moving toward more automa- 
data recovery methodology | tion to reduce recovery times 
that’s efficient and scalable | and eliminate human error. data centers and away from data centers five miles away is 
and meets the needs ofinter- | Garcia agreed with those third-party recovery service _| not going to be good enough,” 
nal customers. findings, saying banks are | providers such as SunGard Wollmen said. “They'd like to 
“We'd all like to have an quickly moving away from | Data Systems Inc. and IBM. ... have data centers farther 

open checkbook to do every- 2 

thing right now. We’d like to 


do it at a price tag our compa- CA Sh h ld B k Amalgamated faced long 
nies are willing to spend,” Bau- are 0 ers ac odds on winning passage of 
mann said. “It’s not so much | the proposal. A small number 
getting the money. It’s putting | Management on Bonuses of investors hold a significant 
together the right business percentage of CA’s shares and 
case to say, ‘Here’s why we . N91 , | to recoup those bonuses. Not traditionally vote with the 
should be doing this.’ 7 Money paid to | doing oehaae be “a serious company’s aaa 
former executives | omission,” the fund argued. | Also at CA’s meeting, com- 
Cost Pressures won't be revoked | At the meeting, 76% of votes | pany chairman Lewis Ranieri 
Virginia Garcia, an analyst at ————___________ | cast sided with CA, which op- | said CA is considering interim 
TowerGroup in Needham, | BY STACEY COWLEY posed the proposal. CEO Kenneth Cron for the 
Mass., said the discussionis |_| Computer Associates Interna- Unlike recent financial scan- | permanent spot. Cron initially 
unique among financial ser- _| tional Inc. avoided a revolt at dals at other companies, CA’s__|_ said he wouldn't be a candi- 
vices firms, which have been its annual meeting last week, | didn’t involve fictitious rev- date in the company’s CEO 
squeamish about sharing IT when shareholders voted enue. Rather, to meet the ana- search. 
data because they consider it a | down a proposal requesting | lyst and investor expectations, CA is unlikely to fill its CEO 
competitive advantage. that the company’s board | the company prematurely rec- | vacancy before it resolves the 
But with disaster recovery adopt a policy of revoking ex- | ognized sales that should have | continuing government inves- 
spending totaling 1% to 2% of ecutive bonuses paid based on | been booked later. Based on tar- | tigation of its accounting 
financial firms’ budgets — | financial results that are later | gets that later weren’t met, CA fraud. The company has now 
that’s roughly $2 biilion per revised. | awarded bonuses to top sales | expelled every executive im- 
year for U.S. banks — building Submitted by Amalgamated | and management executives. plicated in the fraud as well as 
business continuity through | Bank LongView Collective In- 
best practices is becoming a | vestment Fund, the proposal 


necessity. came in the wake of an ac- = s 
“This spending is growing | counting scandalthat devas- | EMC Unveils NAS Devices 
well into double digits — an | tated CA’s management ranks | 
| and forced the company to re- | BY LUCAS MEARIAN faces make the NS family of 
arctan eels sflaltse | state $2.2 billion of revenue. EMC Corp. today announced NAS servers easy to manage, 

: The Amalgamated Bank several network-attached stor- | “even for nontechnical users.” 
fund cited the scandal in a reg- | age (NAS) devices that can be That point wasn’t lost on 
ulatory filing supporting its used for backing up servers Lorie Beam, director of IT at 
proposal. The fund took issue | over Ethernet using Internet law firm Smith, Anderson, 
with the millions paid to exec- | SCSI. EMC said it has boosted | Blount, Dorsett, Mitchell & 
utives — specifically, to for- | the performance on its NAS Jernigan LLP in Raleigh, N.C. 
mer CEO Sanjay Kumar, who devices and improved ease “If you have less technical 
served as CA's president and of use of its graphical user people, but you have a need 
chief operating officer at the interfaces. for them to manage things, it 
time the fraud occurred — and} _‘Tony Asaro, an analyst at certainly helps,” she said. 
with CA's board’s silence | Enterprise Strategy Group The NAS devices are certi- 
about whether it will attempt | Inc., said the revised inter- | fied as iSCSI targets by Micro- 

















apart and still be able to do 
the backups and not lose data. 
It’s more the issue of you want 
your cake and eat it too.” 

One idea floated by the 
banks in conjunction with 
longer-distance replication of 
data was to share physical dis- 
aster recovery facilities in re- 
mote locations, which would 
spread out the cost of building 
and running hot sites. “But the 
other issue is that you have so 
much at stake in these large 
data centers,” Wollmen said. 
“If sharing IT increases, then 
risk would be a concern. So 
it’s a balancing act involving 
risk and cost.” 

The FSTC plans to meet 


again on Oct. 6 to further dis- 


cuss disaster recovery initia- 
tives needed in the financial 


services industry. @ 49106 


| those in top management roles 
| at the time criminal activity 


was perpetrated, but it re- 
mains subject to fines or other 
sanctions the government may 
impose as penalty for the cor- 
porate wrongdoing. 

Ranieri said he is continuing 
to work with the government 
toward a settlement. Earlier 
this year, CA offered $10 mil- 
lion to settle the charges 


| against it, but the company 


hasn’t commented on the gov- 
ernment’s response to the of- 
fer. Ranieri also said CA is re- 
viewing the issue of compen- 
sation paid to “certain offi- 
cers” in prior years. @ 49102 


| Cowley writes for the 


IDG News Service. 


soft Corp., which allows ad- 
ministrators to consolidate 
their servers running Micro- 
soft server products and 
Linux. 

Asaro lauded EMC for its 
introduction of the iSCSI pro- 
tocol on its boxes, noting that 
NAS is better than a storage- 
area network for certain file- 
sharing applications. “And 
iSCSI makes sense in conjunc- 
tion with NAS because they 
both use the same Ethernet 
infrastructure,” he said, “mak- 
ing it easy to install and cost- 
effective.” @ 49100 
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Washington State Ferries Expands 
Wi-Fi Service for Passenger Use 


BY BOB BREWIN 

In a development that extends wireless 
WAN technology beyond fixed loca- 
tions, Washington State Ferries plans 
to offer free Wi-Fi service to passen- 
gers on ferryboats on its high-traffic 
Seattle-area routes this fall. 

IT director Jim Long said the ferry 
system recently finished testing Wi-Fi 
service on the M/V Klickitat on the 
Port Townsend-Keystone route, which 
connects the Olympic Peninsula to 
Whidbey Island, about 43 miles north- 
west of Seattle. Long said he would 
eventually like to have all 25 boats in 
the fleet connected to a wireless WAN 
that treats each “individual ferry boat 
like an office building” hooked up to a 
wired WAN. The fleet carries 26 mil- 
lion passengers per year between 20 
ports of call. 

That’s exactly what Mobilisa Inc., 
now running a nearly yearlong test of 
Wi-Fi for Washington State Ferries, is 
delivering, according to Nelson Lud- 
low, CEO of the Port Townsend-based 
company. Mobilisa has installed a wire- 
less WAN that treats about 400 square 
miles of Puget Sound “like one big 


WAN,” with Wi-Fi service and wireless | 


connectivity to the Internet available 
on ferryboats operating anywhere in 
the area. The Mobilisa tests are being 
funded by a $1 million grant from the 
Federal Transportation Administration. 


Coverage Configuration 
Ludlow said Mobilisa has installed a 
two-stage wireless system to provide 
coverage to Washington State Ferries. 
The first stage provides connectivity 
from the shore to the boats, with point- 
to-multipoint wireless gear from Sun- 
nyvale, Calif.-based Proxim Corp. oper- 
ating in the unlicensed 5.8-GHz band. 
Proxim’s Tsunami MPlla system 
supports mobile roaming, which is key 
to ensuring uninterrupted connectivity 





| from the boats as they move from the 
coverage area of the fixed-link wireless 


antennas installed on one side of a 


} route to antennas on the other side. The | 


Port Townsend-Keystone run doesn’t 
allow line-of-sight coverage, so it re- 
quired the installation of two antennas 
on the Keystone side, Ludlow said. 
Mobilisa also had to develop its own 


| switching algorithms for the handoffs 


between the fixed-wireless shore sta- 


| tions, so the signal from the vessel 


could bounce from one shore antenna 
to another throughout its run. Ludlow 
said Mobilisa experienced few outages 


in its tests with the Klickitat, which be- | 
gan in April; an aircraft carrier blocked 
| the signal on one day. 


The Proxim equipment on the boats 


| connects to BeaconPoint Wi-Fi access 


points from Chantry Networks Inc. in 


| Waltham, Mass. The BeaconPoints of- 
| fer Wi-Fi connections using the 802.lla | 
| standard, which operates in the 5-GHz 


unlicensed band, and the 802.11b/g 


| standards, which use the 2.4-GHz band. 


Mobilisa has also outfitted the ferry 


| docks with Wi-Fi BeaconPoints, allow- 


ing passengers to use the service while 
waiting for a boat. The Port Townsend 
access point also covers restaurants 


| near the ferry dock, Ludlow said. 
| The BeaconPoints are hooked into 


Chantry’s BeaconMaster wireless 
switch, which allows Mobilisa to con- 
trol all the BeaconPoints on all the 
boats from the Mobilisa network oper- 
ations center in Port Townsend. 

The BeaconMaster 130, priced at 
$12,995, is a Layer 3 switch that allows 


| passengers to roam from dock to boat 


and to the dock again without initiat- 

ing a new Wi-Fi session, said Luc Roy, 
senior director of product marketing 

and management at Chantry. 

The ferry system plans to issue a re- 
quest for bids on a ferrywide system 
once the trials end next March, Long 
said. Because of the infrastructure 
costs involved, he said he expects any 

permanent Wi-Fi system 
to be fee-based. 
Although the trial is 
focused on providing 
Wi-Fi service, Long said 
he anticipates using the 
network to support 
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MARYFRAN JOHNSON 


pen-Source Obligations 


OMEONE in the open-source community 

should send a nice bottle of champagne 

to Charlie Ward, manager of technical ar- 

chitecture at Duke Power. What’s worth 

celebrating? The way Ward and his crew 
of developers poured 1,000 hours into building a 
framework to support application development on 
Microsoft’s .Net technology, then turned their work 


over to the open-source 
community (“Utility to 
Make IT Framework 
Open-Source,” Quick- 
Link 48960). 

What made this front- 
page news for us last 
week was the significant 
size, relative rarity and 
potential impact of this 
corporate embrace of 
open-source. It’s one 
thing for developers to 
turn over a few sanc- 
tioned pieces of corporate code to 
their open-source playmates. It’s 
quite another for a major utility to 
throw open the doors to the results 


of a costly, complex software project. 


Open-source just climbed up an- 
other rung on the enterprise ladder. 
“This is somewhat of an experi- 
ment to see how much value can be 

gained from the open-source com- 
munity,” Ward said. Building a 
framework for application develop- 
ment doesn’t give an energy compa- 
ny any particular competitive advan- 
tage, he observed, but getting contin- 
ued support and improvements do- 
nated by a dedicated community of 
developers is clearly a benefit. 

The appeal of open-source is 
rolling rapidly across the corporate 
landscape. More than 60% of 140 
companies surveyed this spring by 
Forrester Research said they were 
either using or planning to use open- 
source products — everything from 
databases and development tools to 
Web servers and desktop software. 
And now the feds are officially en- 
couraging open-source adoption 
across all government agencies. 


“Open-source is just 
a more efficient, effective 
software business mod- 
el,” says John Roberts, 
founder of SugarCRM, 
one of the first open- 
source business applica- 
tion companies to attract 
venture funding. “It’s 
more than just cheaper 
software. It’s a shift, a 
movement reshaping the 
dynamics of a modern 
software company.” 
| I think he’s right about those fun- 
| damental shifts, which are also 
changing — and further complicat- 
| ing — the landscape of software li- 
| censing. For example, even at com- 
panies where open-source products 
aren’t in evidence yet, the lines of re- 
sponsibility are blurring as vendors 
fold portions of open-source code 
into their own proprietary products. 





One CTO I spoke with last week 
had just encountered a novel situa- 
tion with a new software package 
from a major vendor. His developers 


| found a flaw in the code and alerted 


the vendor, which denied responsibil- 
ity, saying that the piece of code con- 
taining the flaw was open-source. 
The customer argued for the fix and 
ultimately got it — but the experience 
raised a red flag for the CTO. 

It should do the same for you. IT 
executives need to educate them- 
selves about the rights and obliga- 
tions involved in open-source — 
even if it’s not in-house yet. 

“What you need to look out for is 
what you give up” as well as what 
you gain in an open-source licensing 
agreement, says Larry Rosen, author 
of Open Source Licensing: Software 


| Freedom and Intellectual Property 


Law (see “No Free Lunch,” Quick- 
Link 48482). If you choose to share 
your open-source development with 
other companies, for example, you 


| may be obligated to use the same li- 
| cense with everyone. 


It will be fascinating to watch how 
Duke Power proceeds with its open- 
source experiment, its licensing 
arrangements and the business value 


| that comes from it. Here’s hoping it’ll 


be worth another bottle of cham- 
pagne. @ 49072 
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DAN GILLMOR 


Microsoft 
Security's 
Weak Link 


INDOWS XP Ser- 
vice Pack 2 is now 
making its way onto 


computers. This major update 
is a step forward for a company that 

has had an abysmal record on security, 
and we should be happy for that much. 

But it’s only one overdue action. 
Users should also install more capable 
firewalls, antivirus software and anti- 
spyware applications. But the service 
pack also reminds us of a situation 
that Microsoft has never properly ad- 
dressed: the retail/computer security 
problem. 

If you buy a new Windows PC for 
your home and hook it up to a DSL 
service or a cable-modem line without 
first installing a hard- 
ware or software fire- 
wall, your computer 
could well be com- 
promised by hackers 
before you've even 
had time to install 
Microsoft's “critical” 
security updates. 

The PC may be 
turned into a spam- 
mer’s toy, a zombie 
spewing thousands 
of mail messages per 
day, some of which 
could clog corporate 
networks. Or, worse, 
it may now have a 
keystroke logger in place, snarfing up 
personal and corporate log-ons and 
passwords and sending them who 
knows where. 

This is a clear and present danger 
to corporate networks. If an infected 
home PC gets connected to the corp- 
orate network, via a VPN or other 
means, all the work IT does internally 
to keep things safe could be wrecked. 

Yet this is reality. Why? Because 
Microsoft doesn’t require computer 
makers and retailers to sell their PCs 
with totally updated operating sys- 
tems. The computers likely will have 
XP with the most recent service pack, 
but no subsequent updates. 

The same is true if you buy the Win- 
dows XP software by itself, in the box. 
It, too, will probably need updating to 
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be even remotely safe. In other words, 
despite monopoly profits and legions 
of talented programmers, Microsoft 
continues to allow retail versions of 
Windows to go out the door with 
known defects. Why? 

Yes, there are complications in the 
retail channel. Microsoft and the man- 
ufacturers would have to put in a great 
deal more effort, and some added ex- 
pense, to do the right thing. Given the 
wafer-thin margins in PC retailing, you 
can’t expect the manufacturers or re- 
tailers to voluntarily take this on. 
That’s why Microsoft should step in 
and do it for them. 

At last count, Microsoft had more 


some of that back to shareholders. 
Fine. But how about using some of it to 
make sure that computers sold at retail 
have the latest update of the operating 
system, with the firewall turned on? 
Microsoft will never do that volun- 
tarily. Its track record shows it to be a 


company that offloads as many costs as | 


possible onto captive manufacturing 
“partners” that have no alternatives. 
The logical people to intervene in 


this situation are state and federal con- | 


sumer-protection officials. They’d nev- 
er allow auto companies to sell cars 
with serious known defects. Why do 


they permit Microsoft and the PC mak- | 


ers to do so? 

IT should be yelling from the roof- 
tops about this. The situation is getting 
better only at the margins, and that’s 
not nearly good enough. @ 48990 


Keeping the 
Skies Safe 
From Teddy 


HATEVER your po- 
litical stripes, you 
would probably 


agree that Sen. Edward Ken- 
nedy (D-Mass.) is not a terrorist. 

But when he tried to board a US Air- 
ways flight at Reagan National Airport 
near Washington this past spring, he 
was stopped because his name ap- 
peared on the government's secret 
“no-fly” list. 

This database is supposed to be one 
of the many weapons in the country’s 
fight against terrorism. And although 
the list hasn’t led to any arrests, it has 
caused approximately 350 U.S. citizens 


| to either be delayed or de- 


nied the right to travel. The 
FBI won’t reveal who is on 
the list, which is maintained 


| by the Transportation 
| Security Administration, a 
| branch of the U.S. Depart- 


ment of Homeland Security, 
which is run by Tom Ridge. 
After that first incident, 
Kennedy, who you'd think is 
recognizable, was stopped 
repeatedly, even after his 
aides called the TSA to clar- 
ify the matter. 
His name was removed from the list 


| only after he personally phoned Ridge. 
than $50 billion in cash. It plans to give 


The reason Kennedy was on the list 
in the first place? Apparently, the name 
“T. Kennedy” has been used by a sus- 
pected terrorist as an alias. 

Is that all it takes? 

Is this the level of sophisticated 
technology being deployed to fight the 
war on terror? You might as well digi- 
tize the phone book. 

Of course, the airline says it’s the 
TSA's problem, and TSA officials say 
they’re just doing their job and that 
glitches — well, they just happen. And, 


| cials because he had a U.K. address on 


| to explain that he goes back and forth 





yes, they’re going to get a 
bigger, better system. 

And while the govern- 
ment says the TSA willis- | 
sue a letter for those who 
are mistakenly on the list, 
how will you know you 
need the letter unless 
you're stopped at some air- 
port or border crossing? 

I have an English friend 
who possesses a valid U.S. 
green card and has worked 
legally in the U.S. for years. 

A technology professional who regu- 


| larly travels from London to Seattle, he | 


was stopped by U.S. immigration offi- 
one of his documents. When he tried 


on business, he was ushered into a 
small room and grilled by officers, who | 


| made it clear that they didn’t believe a 
| word of what he was saying. 


Finally, after a rather nerve-rattling 
experience, a supervisor was calledto | 
the scene, inspected the documents 
and let my friend proceed. 

Technology is often touted as savior | 
or scoundrel when it comes to big gov- | 


| ernment projects. The government is 


spending boatloads of borrowed cash 


| to install massive databases designed 


to link all sorts of lists, from tallies of 
delinquent student loans or driver’s li- 


| censes to flight manifests. It’s an inter- 


esting idea to build a web of interlock- 
ing information to trap terrorists. But 


| the execution is a direct contradiction 


to the openness, freedom and common 
sense that characterizes civil society. 
The moral of this story isn’t that 


| technology is the culprit. Using IT to 


make the government more efficient, 


| more transparent and more accessible 


to more people is a liberating and pow- 


| erful concept. Every day, individuals 

| click through the business of renewing 
| driver’s licenses, e-mailing elected offi- 
| cials or checking on government pro- 

| grams, using the sublime magic of the 


microchip. 
But technology that’s misused is a 
problem. The no-fly list is a no-win in 


| the fight against terror. @ 48972 
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Critics Fire Back at ITAA Over E-voting 


CCORDING TO the article “ITAA 

Fires Back at Critics of E-vot- 
ing” [(QuickLink 48210], a recent 
survey by the Information Technolo- 
gy Association of America showed 
“that 77% of registered voters are 
unconcerned about the security of 
e-voting systems,” and ITAA Presi- 


| 
| 
| 
| 
| 


WORK IN THE IT section of a 

bank, and if we were to go about 
our normal operations without any 
hard-copy audit trails, the federal 
government would shut us down in 
a heartbeat. How is it that some- 


| thing as important as selecting the 


| 
| 
| 


dent Harris Miller believes that “crit- | 
| scrutiny as processing our money? 


ics who claim to be concerned 
about the security of e-voting sys- 
tems are really using the issue to 
push a political agenda on behalf of 
the open-source community.” 

I'm pretty sure those same 77% 
of registered voters aren't concerned 
about the security of their home PCs, 
given the widespread problem of 
worms, viruses and spyware. 

If asking proponents of open- 
source software to comment on the 
security of electronic voting sys- 
tems is, as Miller says, “like asking a 
bunch of clergymen what they think 
of premarital sex,” then asking end 
users about computer security is 
like asking a bunch of prostitutes 
what they think of family values. 
Joe Sestirich 
LAN administrator, 

Pittsburgh 


| 
| 
| 
| 
| 
| 
| 
| 


man who will run and represent our 
country doesn't warrant the same 


Frank Thomas 
Pittsburgh, 
fthomas@comcast.net 


HE ITAA’S views and statistics 

are a smokescreen. This e-vot- 
ing issue has nothing to do with 
open-source vs. proprietary, and all 
to do with reliability, security and 
auditability. | belong to an e-voting 
watchdog group in North Carolina, 
and | would say 90% of the mem- 


bers have no idea what open-source | 
is. They just want a verifiable election. | 


Jim Franz 
Programmer, Greensboro, N.C. 


HE ITAA’S statement is ridicu- 
lous! Did the survey respon- 
dents know what “security of e-vot- 
ing systems” means? This is a world 





where 95% of the people cannot 


| program their VCRs. My guess is 


that most voters would think a po- 
liceman at the polling place consti- 
tutes good security for the e-voting 
systems. Read Computerworld’s 
Shark Tank to get a better under- 
standing of the level of computer 


| knowledge out there. 


| S. Duffy 


Senior system analyst, 
Minneapolis 


patches on their PCs, stopped 


| opening e-mails and executing at- 


tachments from unknown sources, 


| then maybe | would begin to trust 


their opinion on a secure computer 


| system. Until then, the issue is not 

| open-source vs. propriety software: 
| it's about the ability to audit the sys- 
| tem. Until major strides are made in 
| computer security, including getting 
| rid of unethical people from the 

| computer profession, a paper trail 


| will be a requirement to guarantee 


F E-VOTING is as flawed as the 
logic in Harris Miller's justification, 
then we need to bury the idea im- 


| mediately. The percentage of peo- 
| ple uninformed about an issue does | 


nothing to condemn or defend it 
Chuck Hinkle 


Houston 


| the accuracy of a voting system 
| Michaei Quigley 


Systems analyst/ 


| programming coordinator, 


New Knoxville, Ohio 


COMPUTERWORLD welcomes 


| comments from its readers. Letters 


| will be edited for brevity and clarity. 


ANY PEOPLE | have known in 

my 27 years in the industry 
have no clue about what a secure 
computer system involves. I've even | 
had a conversation with someone 


| who writes software for the Internet | 


as a profession who believes that 


| simply restricting traffic to Port 80 


will keep your server safe. | 
If 77% of registered voters be- | 
gan to keep up with the security | 


| They should be addressed to Jamie 


Eckle, letters editor, Computerworld, 


| PO Box 9171, 500 Old Connecticut 


Path, Framingham, Mass. 01701 
Fax: (508) 879-4843 

E-mail: letters@computerworld.com 
Include an address and phone num- 
ber for immediate verification 


For more letters on these and 
other topics, go to 
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QUICKSTUDY 

Fuzzy Logic 

While Boolean logic solves problems 
with a binary, yes-or-no answer, 
fuzzy logic solves problems when 
data is vague or imprecise. Page 26 


SECURITY MANAGER’S JOURNAL 
Company Secrets Hit the Exits 
Mathias 
has allowed executives who are leaving his 
company to depart with laptops loaded with 
sensitive e-mail, applications and data. Page 27 


Directory Assistance 

Virtual directories provide applica- 
tions with a single point of access 
to user data when the information 
requested is located in more than 
one directory. Page 24 


Thurman discovers that a lax policy 


ORGANIZED 


CRIME 


INVADES 


CYBERSPACE 


Once the work of vandals, viruses and other malware are now 
being launched by criminals looking for profits. BY DAN VERTON 


NTIVIRUS RESEARCHERS have 


| product marketing at Postini Inc., an 


i e-mail security services provider in 


“The July outbreak of MyDoom.O ; 
was yet another reminder that spam- 
mers are now using sophisticated, 


Redwood City, Calif. In July alone, 


mers to hijack a company’s entire 
e-mail directory. 


The link between viruses, worms 


blended threats that mix spam, viruses } ; and the underground criminal econo- 


} my, however, goes back to long before 


Mikko Hypponen, antivirus research 

: director at F-Secure Corp. in Helsinki, 
| Pisiland. Starting with the initial cut- 

i break of MyDoom in January, Hyppo- 
! nen began to notice that what had pre- 
f Re wtegne view-weting mmcatate 
| actually had a significant link to orga- 
! nized efforts to use malicious code to 
| make money. 

| “MyDoom got press coverage be- 

{ cause of the denial-of-service attack it 


launched against SCO and Microsoft 
Corp.,” says Hypponen. “But nobody 
was paying attention to what was hap- 
pening behind the scenes.” 

And what was happening, according 
to Hypponen, was the beginning of a 
concerted, unabashed effort to turn 
virus and worm infections into cash. 

Eight days after MyDoom.A hit the 
Internet, somebody scanned millions 
of IP addresses looking for the back 

Continued on page 22 
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Continued from page 19 

door left by the worm, said Hypponen. 
The attackers searched for systems 
with a Trojan horse called Mitglieder 
installed and then used those systems 
as their spam engines. As a result, mil- 
lions of computers across the Internet 
were now for sale to the underground 
spam community. 

Of course, spamming viruses aren’t 
new. Security professionals have been 
dealing with them for years. However, 
the appearance of MyDoom and more 
recent viruses and worms signaled the 
beginning of much larger problems, 
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which often use IP addresses that ex- 
pire every two minutes, Hypponen 
says. 

“If you refresh these sites, the do- 
main name points to a different IP ad- 
dress every two minutes,” he explains. 
“And then if you look at the IP address- 
es, you'll see that they are in places like 
Japan, Portugal, Brazil, Canada and 
elsewhere.” 

Hackers and malicious-code writers 
are increasingly automating the Inter- 
net shell game that keeps many of 
them one step ahead of law enforce- 
ment. The Kuwaiti hacker group 
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were busy dealing with the Bagle mass cone. i 


mailer. And although the first version 
wasn’t particularly successful, at least 
a dozen variants soon followed, includ- 
ing variants that carried Mitglieder. 

But the real clues that organized 
gangs were using Bagle and MyDoom 
to sell spam proxies — as well as links 
to phony Web sites that exist only to 
harvest identities and personal finan- 
cial information — came when the 
writer behind Netsky.R posed a direct 
challenge to the so-called professional 
virus writers. 

In addition to attempting to remove 
Bagle and MyDoom from infected 


computers, Netsky conducted a denial- | 


of-service attack against Web sites 
known to be fronts for identity thieves, 
according to Hypponen. 

When F-Secure analysts decoded the 
encrypted messages hidden within a 
subsequent version of Bagle (Bagle.J), 
they discovered a threat of a virus war 
if the Netsky author continued to 
“ruin” the “business” of the profession- 
al virus writers. 

“We have information that the writ- 
ers of both MyDoom and Bagle may be 
Russian immigrants living in various 
European countries,” says Hypponen. 

Whoever is behind it, they are orga- 
nized and running a thriving business, 
says Hypponen. 

Brian Dunphy, director of global 
analysis operations at Symantec 
Corp.’s Security Operations Center in 
Alexandria, Va., acknowledges that it’s 
difficult to discern the intent behind 
many viruses and worms in the wild. 
In addition to planting back doors, 
some worms, such as the latest My- 
Doom variant, have embedded peer- 
to-peer updating capabilities, he says. 

“What we used to see are worms 
and viruses that did not have a reach- 
back-and-call-home capability,” says 
Dunphy. “What we saw with MyDoom, 
however, was that infected systems 
were aware of other infected systems 
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Organized virus writers use viruses and worms to create spam that leads unsuspecting users 
to fake online banks or Web sites, such as this one, that exist only to steal identities. 


and they automatically built a peer-to- 
peer network of sorts.” 

In fact, Symantec’s analysis of the re- 
cent MyDoom.M outbreak discovered 
a mechanism that’s used to maintain a 
list of all known infected systems and 
permits the worm’s author to update 
all MyDoom.M-infected systems with 
new arbitrary malicious code with lit- 
tle risk of its network being hijacked 
by rival worm authors, says Alfred 
Huger, senior director of Symantec 
Security Response. 

In addition to propagating spam 
proxies and setting up peer-to-peer 
networks, viruses and worms are being 
used to install Web servers on vulnera- 
ble systems. Those Web servers are 
then used to host everything from 
pornography and pirated software 
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sites to fake banks, Hugos says. 

Underground bartering and selling 
is conducted on Web sites such as a 
Russian site that, among other things, 
sells subscription services to compro- 
mised computers. 

Various other Russian and Chinese 
message boards exist for the sole pur- 
pose of selling spam hosts. Accepted 
payment methods, shown clearly on 
the Web pages, include E-gold trans- 
actions and WebMoney and Western 
Union money transfers. Ironically, 
organized e-criminals don’t accept 
credit cards. 


For Sale: Your ID 


Viruses and worms carrying Trojan 
horse code are also powering massive 
identity theft rings. 

At sites like www.oemcd.biz, www. 
mega-oem.biz, http://huge-sales.info 
and www.atlantictrustbank.com, 
among hundreds of others, users are 
presented with the opportunity to buy 
popular software at tremendous dis- 
counts, sometimes at one-tenth the re- 
tail price. And while these sites look 
authentic, Hypponen offers a word of 
caution. 

“The one thing all of these sites have 
in common is that none of them exist,” 
he says. “If you buy something from 
them, you'll get nothing, and they will 
never charge your credit card. But 
what they will do is steal your identi- 
ty.” In fact, identities and bulk credit 
card “dumps” are available to the high- 
est bidder at some sites. 

Tracking down virus writers and 
other online criminals can be more 
difficult than anybody ever imagined. 
It’s particularly difficult in the case of 
fraudulent domain-hosting schemes, 





tence of a Trojan horse created by 
Q8See called Slacke. But what made 
Slacke unique was the extraordinary 
lengths to which its authors went to 
hide their tracks and the mystery that 
remains about the group’s intent. 

First, the worm downloaded code 
from a Web site hosted in S40 Tomé 
and Principe, a small island nation lo- 
cated off the Atlantic coast of Africa. 
Analysis by F-Secure, however, showed 
that the domain rights for the Web site 
had been sold to a company in Sweden. 
But registration information listed the 
company name as JordanChat and the 
location as Irbid, Jordan. The contact 
name was TeROr. 

As thousands of infected computers 
downloaded the malicious code from 
the Web server in Sao Tomé and 
Principe, they were then linked to an 
Internet Relay Chat system operated 
by CNN in Atlanta. 

Once logged into CNN’s IRC server, 
the systems connected to an IRC chan- 
nel in Mexico called Noticias. And 
when Hypponen and his analysts stud- 
ied the channel, they were astonished 
at what they saw. 

“There were 20,000 clients just sit- 
ting on the channel doing nothing. 
They looked like people, but they were 
bots,” he says, referring to programs 
that perform repetitive, automated 
functions. 

The bots, however, weren't alone. 
According to Hypponen, three Kuwaiti 
users, presumably members of Q8See, 
were sitting on the channel and send- 
ing commands to the bots to scan vari- 


| ous ranges of IP addresses. And while 


CNN eventually shut down the chat 
server, nobody knows for sure what 
the hackers were doing. 

“We may never know,” says Hyppo- 
nen. “Whether or not this is traditional 
organized crime doesn’t matter — be- 
cause they are organized, and what 
they are doing is criminal.” @ 48794 
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HE BOEING CO. has a 
diverse directory infra- 
structure that includes 
products like Sun ONE, 
Microsoft Active Directo- 
ry and Oracle. Having a 
heterogenous directory 
infrastructure in a company the size of 
Boeing is a practical necessity, but it 
also creates headaches for the aero- 


space company, which has 900 directo- 


ry-enabled applications that serve 
some 150,000 employees. 

The problem is that most identity 
management systems, Web portals and 
other directory-dependent applica- 
tions are designed to access just one 
directory, but the data each requires 
may reside in many. Even when re- 
quested data is available in a single 
repository, it may not be structured in 
the way the application wants to see it. 

As a result, getting each application 
to work with the directory infrastruc- 
ture can become a big project, says 
Marty Schleiff, a cyberidentity special- 
ist at the Boeing Shared Services Group. 

“Every requirement means changing 
an existing directory without breaking 
it for existing clients or setting up a 
new directory,” Schleiff says. A third 
option, customizing the application, 
can be costly. Unlike with internal ap- 
plication development projects, the 
money spent customizing a commer- 
cial application can’t be leveraged by 
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other appiications, and customization 
adds to the amount of code that must 
be maintained, he says. 

To solve the problem, Schleiff is 
turning to virtual directory software, 
an emerging class of products that he 
says offers a more flexible approach to 
providing applications with access to 
user account data and other attributes. 

Boeing has piloted and is ready to 
begin a phased rollout of Virtual Di- 
rectory Engine from OctetString Inc. 
in Schaumburg, Ill. To the application, 
the virtual directory looks just like the 
target directory it expects to see. It 
takes requests for data from the appli- 
cation, retrieves it from the back-end 
directories, performs any transforma- 
tions needed and presents it to the ap- 
plication in the format required. No 
modification to the application or tar- 
get directories is needed. 

“We’re deploying it to support many 
client applications. We’re trying to cre- 
ate a shared service,” Schleiff says. 


The Virtual Difference 


Virtual directories are similar to an- 
other tool: metadirectories. Both can 
access user data from different reposi- 
tories. Metadirectories, a core element 
of user provisioning tools, copy data 
into a new repository that must be cre- 
ated, maintained and synchronized. 
The need to keep data updated can be 
a headache when data in source direc- 
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tories changes frequently. Some busi- 
ness units may also object to the idea 
of creating a second repository for 
customer data that will be outside of 
their control, citing regulatory or 
strategic concerns. 

In contrast, virtual directories access 
the attributes requested from each di- 
rectory or database on the fly. The soft- 


Directory 
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ware uses a cache to speed performance 
but typically doesn’t store data locally. 

Virtual directory deployments can 
cost substantially less than alternative 
strategies. The software, licensed by 
the server, may cost $10,000 to several 
hundred thousand dollars for a large 
project. But that’s a small price to pay 
compared with the cost of rebuilding 
an enterprise directory or reworking 
each application, says Schleiff. “Any- 
time you're considering spending mon- 
ey to customize an application so that it 
can use your directory, you should look 
at virtual directory technology,” he says 

The technology can even help appli- 
cations that aren’t sophisticated 
enough to deal with more complex di- 
rectory mechanisms such as Light- 
weight Directory Access Protocol 
(LDAP) referrals. A virtual directory 
can follow the reference to locate the 
data and return it to the application. 

But virtual directories also have a 
few drawbacks. Although they don’t 
create an additional repository, they 
do create another layer of complexity 
because they require applications to 
access information indirectly through 
the virtual directory server rather than 
going to the directory that actually 
holds the data. 

“There’s a discomfort with adding 
another layer of infrastructure. If 
something happens to our Web single 
sign-on, our critical applications are 
down,” says Schleiff. “Virtual directo- 
ries ... both simplify and make the 
service offering more complex.” 

Another potential weakness: Virtual 
directories are only as good as the di- 
rectories behind them. If a directory 
tends to go down frequently or offers 
poor response, a metadirectory that 
has its own data source may be a better 
choice. But users say virtual directo- 
ries have advantages here, too. They 
have load-balancing and fail-over fea- 
tures that can be configured to redirect 
a request to an alternative data source. 
If the connection drops in the middle 
of a request, for example, the virtual 
directory retries another repository 
and returns the rest of the data. 


Starting Small 


Boeing is one of the first companies to 
make the virtual directory an integral 
part of its directory service, but pro- 
grammers and directory specialists at 
many large companies have been qui- 
etly using the tools for several years 
for specific, one-off applications or 
departmental development projects. 
Jeff Sobel, a senior analyst at New 
York Independent System Operator 
(NYISO), a wholesale electricity pro- 
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vider in Albany, was building a Web 
application to let customers place bids 
over the Internet. He chose RSA Secu- 
rity Inc.’s ClearTrust access manage- 
ment software to authenticate users, 
but the product could point to only 
one LDAP directory. His user data 
resided in an Oracle database and an 
LDAP directory. At RSA’s suggestion, 
he brought in RadiantOne virtual di- 
rectory software from Radiant Logic 
Inc. in Novato, Calif. Sobel says he had 
the software up and running within a 
month. “It’s not a long cycle time to get 
it running,” he says. 

NYISO wasn’t always sold on virtual 
directories, however. The company 
looked at the tools a year ago and 
decided that most weren’t mature 
enough. Although a few virtual direc- 
tory tools have been around since the 
late 90s, they’ve improved significant- 
ly since then, says Gerry Gebel, a Fair- 
fax, Va.-based analyst at Burton Group. 
Several vendors have added graphical 
point-and-click user interfaces to the 
tools that make setting them up much 
easier than the previous, text-based in- 
terfaces and configuration files. “But 
you still have to understand LDAP, 
database structures and things of that 
nature,” Gebel cautions. 

The manager of directory services at 
a large family entertainment company, 
which he asked not be named, says a 
virtual directory made sense for his 
application for both political and tech- 
nical reasons. The company uses a flat 
directory structure, but its identity 
management software expects user 
data to be organized hierarchically. 
Using a metadirectory to transform the 


VENDORS OF VIRTUAL DIRECTORY 
SOFTWARE are generally small compa- 
nies with 30 employees or less and a cus- 
tomer base measured in tens of users. Some 
vendors offer only a virtual directory, while 
others offer a mix of products and services. 
Here's how they differentiate themselves. 
Radiant Logic and Trondheim, Norway- 
based MaXware Inc. offer both metadirec- 
tory and virtual directory products and pro- 
mote integration features between the two. 
The MVD MaXware Virtual Directory offers a 
flexible and easy-to-use interface, says Bur- 
ton Group’s Gerry Gebel. RadiantOne adds a 
“persistent cache,” blurring the distinction 
between its metadirectory and virtual direc 
tory products. Both BEA Systems Inc. and 


data was out because management 
“really put the hammer down about 
replicating data to different business 
units,” he says. Rebuilding the source 
directory would have required eight 
months, versus just one month to de- 
ploy a virtual directory. The technol- 
ogy provided a hierarchical view of the 
data “without provisioning our data all 
over again,” he says. 

Choosing a virtual directory means 
looking at very small vendors, since 
the big directory players have yet to 
offer full-blown virtual directory prod- 
ucts. The virtual directory vendors — 
about a half-dozen in all — are typical- 
ly small, privately held firms with few- 
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Virtual Players 


BMC Software Inc. include Radiant Logic’s 
technology in their product lines, while 
MaXware has partriered with Hampshire, 
England-based integrator BT Syntegra. 
OctetString started with a Java LDAP 
directory that it transformed into its Virtual 
Directory Engine. The product has flexible 
joining, mapping and transformation fea- 
tures and a newly released 3.0 version 
adds features that make the product easier 
to use. Oblix resells the technology with 

its CorelD product. 





Symiabs SA in Lisbon, Portugal, is the 
smallest vendor in the group; it focuses on 
high-performance, large-scale deploy- 
ments. Telecommunications companies are | 





er than 30 employees and anywhere 
from five to 50 or more customers. Yet 
the vendors count many of the world’s 
largest companies among their cus- 
tomers. “The larger and more complex 
the organization, the more need they 
have for this technology,” says Gebel. 
One way to mitigate the risk of going 
with small vendors is to leverage 
agreements they have with identity 
management software vendors and in- 
tegrators. Radiant Logic has agree- 
ments with RSA and Accenture Ltd., 
for example, while OctetString has al- 
lied itself with Oblix Inc. Users can 
take other steps as well, says Gebel. “If 
you're implementing something that is 


among the early adopters of its Directory 
Extender product. Paris-based Calendra’s 
Directory Manager includes a complete 
development environment and workflow 
component. The vendor has experience in 
developing Yellow Pages-type applications, 
says Gebel. 


Persistent Systems Pvt., an established 
software development outsourcer in Pune, 
India, is by far the largest vendor in the 
group. It has experience building metadirec- 
tory connectors for other vendors. It has 
about 1.000 employees, although only about 
30 support enQuire Virtual Directory. That 
product, part of the enQuire Identity Server, 
also supports a persistent cache. 

- Robert L. Mitchell 


higher risk, you need to take measures 
such as getting source code in escrow or 
going through a larger vendor,” he says. 
Another potential concern is scala- 
bility, says Gebel, although vendors 
disagree. While the products have been 
shipping for several years, they’re evolv- 
ing and have yet to prove themselves in 
many large-scale deployments, he says. 
But those concerns don’t bother 
NYISO’s Sobel. He says he plans to use 
the technology as part of a broader, 
single-sign-on project involving more 
than a half-dozen directories. “Because 
we aren't tied down to a true directory 
... it’s easier to add repositories as time 


moves on.” @ 48758 
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Fuzzy Logic 


DEFINITION 


Fuzzy logic is an extension of classic Boolean logic 
designed to work with imprecise or vague data, with 
the concept of partial truth. Where classical reason- 
ing requires yes and no values, fuzzy logic can han- 


dle concepts such as “maybe, 


BY RUSSELL KAY 
HE DIGITAL computing 
world is built on a struc- 
ture of Boolean logic 
applied to binary values 

— one or zero, yes or no, in or 

out. But this powerful struc- 

ture is a gross oversimplifica- 
tion of the real world, where 
many shades of gray exist be- 
tween black and white. In 
everyday life, we use quasi- 
metric notions that are clearly 
related to numerical concepts 
or values but lack precision or 
demarcation. 

What time is it? If I'ma 
server time-stamping thou- 
sands of files, digital certifi- 
cates or transactions, I need 
very fine distinctions. But if 
I’m asking a co-worker 
what time it is, do I 
really care that it’s 
11:49:54 a.m. Eastern 
Daylight Time? Or do 
I just want to know if 
it’s time for lunch yet? 

Or take the weather. If it’s 
90 degrees Fahrenheit on a 
July day, that’s hot for Massa- 
chusetts but mild for Arizona. 
A total of several inches of 
rain that month might consti- 
tute a drought in Massachu- 
setts but a welcome relief 
from one in Arizona. 


Get Fuzzy 
The real world simply doesn’t 
map well to binary distinc- 
tions, and numerical precision 
is often unhelpful in making 
qualitative statements. Fuzzy 
logic gives us a way to deal 
with such situations. 

In fuzzy systems, values are 


qu 


2 6 


indicated by a number (called 

| atruth value) inthe range 

| from 0 to 1, where 0.0 repre- 
sents absolute falseness and 
1.0 represents absolute truth. 
While this range evokes the 

| idea of probability, fuzzy logic 

| and fuzzy sets operate quite 

| differently from probability. 

If I tell you that my height is 
| 5 ft. 6 in. (or 168 cm), you may 
| have to think a bit before de- 
| ciding whether you consider 

me short or not short (i.e., 
tall). Moreover, you might 
reckon me short for a man but 
| tall for a woman. So let’s make 
| the statement “Russell is 
| short,” and give that a truth 
| value of 0.70. 

If 0.70 represented a proba- 
bility value, we would 
read it as “There is a 
70% chance that Rus- 
sell is short,” meaning 
that we still believe 
that Russell is either 
short or not short, and 
| we have a 70% chance of 

knowing which group he be- 


| longs to. But fuzzy terminolo- 
| gy really translates to “Rus- 

| sell’s degree of membership in 
| the set of short people is 0.70,” 
| by which we mean that if we 

| take all the (fuzzy set of) short 
| people and line them up, Rus- 


sell is positioned 70% of the 


| way to the shortest. In conver- 
sation, we would say Russell is 


“kind of” short and recognize 
that there is no definite de- 


| marcation between short and 


tall. We can state this mathe- 


| matically as mSHORT(Rus- 


sell) = 0.70, where m is the 


| membership function. 





nearly” and “very.” 


Another difference becomes 
visible when we look at some 
logical operations, particularly 
or and and. In probability, we 
calculate the and (intersec- 
tion) of two independent 
events by multiplying their in- 
dividual probabilities together 
and the or (or union) as the 
sum of individual probabilities 
less their product. For fuzzy 


| logic, we evaluate or as the 


maximum of individual truth 


values, while and is the mini- 





mum of those values. As we 
incorporate more factors into 
the mix, even those with high 
values — the overall probability 
continues to drop, eventually 
approaching 0.0. For fuzzy log- 
ic, however, the truth value re- 
mains high. Similarly for the or 
operator, incorporating more 
factors increases probability 
to near 1.0, while adding more 
fuzzy sets doesn’t raise the 
combined value at all, and the 
limit will be the largest of the 
individual membership values. 


Hedging Your Bets 


One thing that makes fuzzy 
systems useful is the ability 

to define “hedges,” or descrip- 
tive modifiers, to represent 
fuzzy values. This keeps the 
operations of fuzzy logic clos- 
er to natural language and al- 
lows us to generate fuzzy 
statements through mathe- 


| matical calculations. 


Defining hedges and the op- 
erations that use them is a sub- 
jective process, and it can vary 


| from project to project. But 
| the system lets us use opera- 
| tors and produce compound 


results using the same formal 





methods as classic logic. 

For example, let’s change 
the statement “Bob is old” to 
“Bob is very old.” Here we're 
using “very” as a hedge or de- 
scriptor, and this particular 
hedge is often defined as 
equivalent to the square of 
the base value. Therefore if 
mOLD(Bob) = 0.80, then 
mVERYOLD(Bob) = 0.64. 

Other hedges include “more 
or less,” “somewhat,” “rather” 
and “sort of.” All have subjec- 
tive definitions but transform 
membership/truth values in a 
systematic, reliable manner. 
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Company Secrets 


Hit the 


its 


It does no good to worry about hacker 
attacks if departing executives are free 
to leave with sensitive programs and 
data. By Mathias Thurman 


HE OTHER Day, I found 

out that an executive in 

my company was leav- 

ing. Normally, that 
wouldn't be a big deal. After 
all, in a large company people 
come and go all the time. But 
this executive’s employment 
contract included a clause that 
lets him keep his laptop. As a 
security manager, I find this 
alarming, but it’s a 
common practice 
when hiring execu- 
tives here. 

While executives 
have always departed 
with their computers, 
until now no one has 
bothered to erase the sensitive 
programs and data on those 
machines. Computers in the 
sales and marketing group, 
for example, contain customer 
contact lists, confidential 
price lists, e-mail correspon- 
dence, and merger and acqui- 
sition information. 

The executive in question 
was part of an inquiry a few 
months ago that required ob- 
taining an image of his lap- 
top’s hard disk drive. A mem- 
ber of the legal department, 
hearing of his planned depar- 
ture, remembered that inquiry 
and called me. This person 
was leaving the company un- 
der good terms, he said. 

Nonetheless, I asked for his 
laptop right away so that we 
could take another mirror im- 


age, wipe the drive and then in- | 


stall the standard baseline im- 
age on it. To my surprise and 
dismay, my request was met by 


a considerable amount of resis- | 


tance from management. But in 
the end, less than 24 hours be- 
fore the employee’s departure, 
I finally received his laptop. 
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In the wake of this episode, 
the CIO established a policy 
| that any laptop leaving with 
an employee must have its 
disk wiped. The policy state- 
ment will be included in fu- 
ture offer letters whenever re- 


computer equipment is part of 
the employment agreement. 
With that problem behind 
me, I turned my 
attention to anoth- 
er pressing issue. 
Except for certain 
enterprise-class 
applications, such 
as PeopleSoft, Ora- 
cle and Siebel, my 
company develops in-house 
almost all of the software it 


| uses. Prior to deployment, any 
| application we develop must 


enter our project life cycle, 
which includes many reviews. 
Most of the items I am con- 
cerned with relate to access 
control, encryption, server 
and application security, and 
proper network segregation. 
Unfortunately, this process 
is fairly new and is always be- 
ing refined. We've only recent- 


ly mandated IT security repre- 


sentation at the various stages 


While executives 
have always departed 
with their computers, 
until now no one has 
bothered to erase the 

sensitive programs 
and data on those 
machines. 





of projects. Now, someone in 
my group attends the project 
planning meetings and all 
technical and critical design 
review boards. But sometimes 
smaller programming projects 
can slip by. 

A few months ago, I en- 
countered an application that 
lets a user create and publish 
surveys. Since the program 


| was designed for a group that 


was using the application for 
the one-time collection of 


| nonsensitive data from the 
| sales organization, we decided 


not to run it through the proj- 


| ect life-cycle process. But I re- 
tention of any company-issued | 
| time that I was afraid other 

| departments would find out 


member mentioning at the 


about the survey tool and try 


| to use it for gathering more- 


sensitive information. 


| Fears Realized 


Since then, just as I feared, 
several departments have ex- 
pressed an interest in this ap- 


| plication. After getting wind 
| of this, I insisted that if the ap- 


plication was to be used in a 
production environment for 
collecting more-sensitive data, 
it had to go through the formal 
project life-cycle path. 

As part of the security re- 
view, we conduct a variety of 
security assessments. We as- 


| sess both the application and 


the server on which it will re- 
side. In addition, we review 
the application’s architecture, 
which typically involves un- 
derstanding which ports the 
application must use and any 
relationships between the ap- 
plication and other production 


| servers. We don’t want one 


compromised system to lead 


| to the compromise of others 


by way of trust relationships. 


We also ensure that the appro- | 


priate firewall rules are de- 
fined and that only the neces- 


| sary services are allowed. 


The survey tool consists of 


a stand-alone application that 
| creates a survey. The survey is 


then pushed to a Web server 


| via an encrypted session. To 


enable that, firewall rules 


| must allow only the server 
| containing the stand-alone ap- 
plication to communicate with 
| the Web server. We also need- 
ed rules to allow only Web 
| traffic to the Web server and 
| to our network operations 
center to monitor the server. 
To conduct the server and 
application assessment, we 
used the open-source Nessus 
scanning program and Web 
| Inspect from Atlanta-based 
SPI Dynamics Inc. In addi- 
tion, we used scripts and oth- 
| er techniques as time permit- 
ted to further interrogate the 
| server and the application. 
| Any discrepancies in either 
| must be fixed, or mitigating 
controls must be put in place. 
For the survey-tool applica- 
| tion, the server assessment 
came out perfect. That’s be- 
cause we have a top-notch 





been hardened and patched. 
| But the application assess- 
ment revealed a few items of 
| concern, including a cross-site 
scripting vulnerability that 
could be exploited to cause 
the user to execute malicious 
code when viewing the survey. 
| Once these vulnerabilities are 
| fixed or mitigated, we plan 
| to give the green light to the 
project leader to deploy this 
application. 
Next, I’m back to trying to 
| find an automated way to de- 
tect rogue wireless access 
points. We’re testing Cisco 
Systems Inc.’s triangulation 


it can detect an AP within a 
10-foot radius. 

The problem is that the APs 
| are often hidden, and we still 
| have to find them. So we’re 
| working on a way to automati- 
| cally trace media access con- 
| trol addresses from our 
| switches back to network 
jacks in individual offices. It’s 
| still not an ideal approach, but 
| it’s definitely a start. D 





WHAT DO YOU THINK? 


| This week’s journal is written by a rea! secur 
ty manager, “Mathias Thurman.” whose 

| name and employer have been disguised for 

| obvious reasons. Contact him at mathias_ 
thurman@yahoo.com, or join the discussion 
nour forum: QuickLink a1590 _ 
To find a complete archive of our 
Security Manager's Journals. go online to 
@ computerworld.com/secjournal 


| baseline system image that has 


feature. If configured properly, 
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Security Bookshelf 
'§ Network Security First- 
Step, by Thomas M. Thomas; 
Pearson Education, 2004. 
lfrequentlyre- 9 
ceivee-mailfrom _™ 


Deke eT 


me about the best i 


ics in a way that’s easy to un- 
derstand. He combines screen 
shots, diagrams and examples 
of things such as router and 
firewall access control lists to 
make his points. Overall, it’s a 
good introduction for those 
who know !ittle about the field. 
- Mathias Thurman 


release of SOX+, a set of tools 
designed to assist with Sar- 
banes-Oxley Act compliance 
efforts on SAP systems. The 
software is available now. 
Pricing starts at $40,000. 


McAfee WebShield 
3.0 Makes Debut 
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Workshare Ships 
Protect Version 3.0 


Workshare Technology Inc. in San 
Francisco announced Workshare 
Protect 3.0, software that’s de- 
signed to detect and eliminate un- 
wanted metadata from Microsoft 
Office documents before they're 


e-mailed. The tool also integrates | 


with Lotus Notes and Novell 
GroupWise software. Available 
now, Workshare Protect 3.0 
starts at $25 per seat. 


Asset Management 
Tools Improved 


LogicLibrary Inc. last week re- 
leased a new version of its Logi- 
dex software development asset 
management tools for J2EE and 
.Net. Version 3.5 is compliant 
with the Web Services Interoper- 
ability Organization's Basic Pro- 
file, according to the Pittsburgh- 
based company. Logidex 3.5 
starts at $10,000 per server and 
$1,000 per seat. 


lomega Adds 35GB | 


SCSI Disk Backup 


lomega Corp. has introduced the 
REV 35GB, an entry-level exter- 
nal SCSI disk drive designed to 
replace tape drives without dis- 
rupting server operations. The 
external drive sells for $499; an 
internal model costs $449. 


imprivata Updates 
Password Manager 


Imprivata Inc., a vendor of pass- 
word management and biometric 
authentication products in Lex- 
ington, Mass., shipped OneSign 
2.5. The appliance features self- 
service password management 
functions and enhanced finger- 
biometric capabilities that elimi- 
nate the need for users to enter 
or select a username prior to 
scanning, said Imprivata. 
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One-way hash functions 
are a cryptographic con- 
struct used in many appli- 
cations. They are used with 
public-key algorithms for 
both encryption and digital 
signatures. They are used 
in integrity checking. They 
are used in authentication. 

They have all sorts of ap- 
plications in a great many 
different protocols. Much 
more than encryption algo- 
rithms, one-way hash func- 
tions are the workhorses of 
modern cryptography. 

Ron Rivest invented the 
MD4 and MDS hash functions in the 
early 1990s. Then the National Securi- 
ty Agency published a similar hash 
function called the Secure Hash Algo- 
rithm (SHA), followed by SHA-1, 
which today is the most popular hash 
function. 

One-way hash functions are sup- 
posed to have two properties. First, 
they’re one-way. This means that it’s 
easy to take a message and compute 
the hash value, but it’s impossible to 
take a hash value, and re-create the 
original message. (By “impossible” I 
mean “can’t be done in any reasonable 
amount of time.”) Second, they’re col- 
lision-free. This means that it’s impos- 
sible to find two messages that hash to 
the same hash value. The cryptograph- 
ic reasoning behind these two proper- 
ties is subtle, and I invite curious read- 
ers to learn more in my book, Applied 
Cryptography (Wiley, 1995). 

Breaking a hash function means 
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tion Must 
Move Beyond SHA 


T THE Crypto 2004 conference in Santa 

Barbara, Calif., this month, researchers an- 

nounced several weaknesses in common 

hash functions. These results, while mathe- 
matically significant, aren’t cause for alarm. But even 
so, it’s probably time for the cryptography community 
to get together and create a new hash standard. 


showing that either — or 
both — of those properties 
aren’t true. Cryptanalysis 
of the MD4 family of hash 
functions has proceeded in 
fits and starts over the past 
decade or so, with results 
against simplified versions 
of the algorithms and par- 
tial results against the 
whole algorithms. 
This year, Eli Biham and 
Rafi Chen, and separately 
Antoine Joux, announced 
some impressive crypto- 
graphic results against 
MDS and SHA. Collisions 
have been demonstrated in SHA. And 
there are rumors, unconfirmed at this 
writing, of results against SHA-1. 
The magnitude of these results de- 


| pends on who you are. If you’re a 


cryptographer, this is a huge deal. 
While not revolutionary, these results 
are substantial advances in the field. 
The techniques described by the re- 
searchers are likely to have other ap- 
plications, and we'll be better able to 
design secure systems as a result. This 
is how the science of cryptography ad- 
vances: We learn how to design new 
algorithms by breaking other algo- 
rithms. In addition, algorithms from 
the NSA are considered a sort of alien 
technology: They come from a superi- 
or race with no explanations. Any suc- 
cessful cryptanalysis against an NSA 
algorithm is an interesting data point 
in the eternal question of how good 
they really are in there. 

As a user of cryptographic systems 








— as I assume most of you are — this 
news is important, but not particularly 
worrisome. MDS and SHA aren’t sud- 
denly insecure. No one is going to be 
breaking digital signatures or reading 
encrypted messages anytime soon 
with these techniques. The electronic 
world is no less secure after these an- 
nouncements than it was before. 

But there’s an old saying inside the 
NSA: “Attacks always get better; they 
never get worse.” These techniques 
will continue to improve, and probably 
someday there will be practical attacks 
based on these techniques. 

It’s time for us all to migrate away 
from SHA-1. 

Luckily, there are alternatives. The 
National Institute of Standards and 


| Technology (NIST) already has stan- 


dards for longer —and harder-to-break 
— hash functions: SHA-224, SHA-256, 
SHA-384 and SHA-512. They’re already 
government standards and can already 
be used. This is a good stopgap, but I'd 
like to see more. 

I'd like to see NIST orchestrate a 
worldwide competition for a new hash 
function, like it did for the new encryp- 
tion algorithm, Advanced Encryption 
Standard, which replaced the Data En- 
cryption Standard. NIST should issue a 
call for algorithms and conduct a series 
of analysis rounds where the commu- 
nity reviews the proposals with the in- 
tent of establishing a new standard. 

Most of the hash functions we have 
and all the ones in widespread use are 
based on the general principles of 
MD4. Clearly, we’ve learned a lot 
about hash functions in the past 
decade, and we can start applying that 
knowledge to create something even 
more secure. 

Better to do it now, when there’s no 
reason to panic, than years from now, 
when there might be. @ 48921 
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Is Grid Computing Ready 
for Your Enterprise? 


Computerworld’s IT Executive Summit Will Guide Your Decision 


If you're an IT executive* in an end-user organization, 
apply to attend Computerworld’s upcoming complimentary 
half-day summit on 


costs, reduce development and operational expenses 
and result in more effective systems management 


and use of processing resources. As grid moves from 7:45am to 8:15am 


When done well, grid computing can lower hardware | 


the realm of science and research into business 
: ; 8:15am to 8:45am 
applications, what are the risks, tradeoffs, and key 
considerations? How have other businesses evaluated 
the opportunities to use grid? Most importantly, 
is this emerging style of computing finally ready 
for your enterprise? 


By leveraging the knowledge of industry experts and 
the real-world experience and advice of your IT peers, 
this IT Executive Summit will provide an overview of 
effective strategies for assessing and implementing 


grid technologies 


Complimentary registratior 


qualified IT execu 


tives only. 


Apply for registration today 
For more information or to apply, visit 
www.itexecutivesummit.com 


Grid Computing: Assessing the 
Reality and the Potential 


Philadelphia - September 15, 2004 


Philadelphia Marriott - 1201 Market Street - Independence Ballroor 


Registration and Networking Breakfast 


From Cutting Edge to Corporate Stage: 
Grid Computing and the Enterprise 


Maryfran Johnson, Editor in Chief, Computerworld 
Industry Analyst Perspective 


Virtualization at CIGNA Corp.: Balancing 
Tactical IT Goals with Business Strategy 


Ben Flock, VP of Virtualization and Application Frameworks, C 


Refreshment and Networking Break 
Update from the Enterprise Grid Alliance (EGA) 


The View of Grid Computing from Iron Mountain 
Bill Olsen, VP of Engineering, Iron Mountain 


Key Considerations in Grid Computing 
Projects: An IT Executive Roundtable 


Panel Moderator: Patrick Thibodeau, Senior Editor 


Computerworld 


Program Concludes 


This program will also take place at the 
State Room (60 State Street) in Boston 
on September 21, 2004 
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WHO'S WHO INIT 

The Thrill of Crisis 

You may think that database 
administration is a skill, but DBA 
Gary Rue knows it’s an art. In his 
world, a crisis is always just 
around the corner. Page 36 


Who Owns 


the 


When business units fight to control the 
corporate Web site, the company loses. 


By Mary K. Pratt 


— 


] 
| 


ely? 


OPINION 

Intelligent Disobedience 

Executives with half-baked and hare- 
brained ideas can doom projects from the 
start, and scope creep threatens the rest. 
What’s a project manager to do? Gopal K. 


Kapur has the answer: Just say no. Page 38 
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¥ ORKERS at Excel Switching 
' Corp. spent months studying 


out a strategy and implement- 

ing their own Internet vision. 
But the planning couldn’t eliminate a 
common problem: internal debates. 

For example, engineers at the Hyan- 
nis, Mass., company, which sells hard- 
ware to the communications carrier in- 
dustry, wanted graphics and informa- 
tion to dominate the site, while mar- 
keters wanted a more streamlined ap- 
proach. “There is that push and pull,” 
says Bill Kelly, Excel Switching’s direc- 
tor of marketing programs, adding that 
the company takes a democratic ap- 
proach in those struggles. “Whoever 
has the most influential argument, 
we'll go with it,” he says. 

Technology experts and business 
leaders alike say ownership of corpo- 
rate Web sites is often up for grabs, as 
departments fight for placement, space 
and functionality. Marketing uses the 
Web site for branding, sales uses it to 
sell, and customer service uses it to 
minimize inbound phone calls. IT is 

left to support all the demands 
— within budget, of course. 
But internal bickering comes 
at a price — lost leads, delayed 


Petite Portfolio 

Big projects get all the attention, 

but several small projects can add up 
to big risks. Managing them efficiently 
requires a careful balance of rigor and 
common sense. Page 33 


launches and budget overruns — that 


| can cost the company sales, brand 
successful Web sites, mapping | 


recognition and customer satisfaction. 
A 2004 report from Jupiter Research 
in New York highlights the problem: 


| “Often there is neither an incentive for 


units to work together to accommo- 


| date each other’s objectives, nor a gov- 


ernance mechanism to maximize the 
overall value of the Web site as a cor- 
porate asset.” 

“The Web represents a confluence 
among different parts of the company,” 
says Jupiter Research senior vice presi- 
dent David Schatsky, who wrote the 
report. He points to a well-known con- 
sumer travel company that also serves 
businesses. The company’s business di- 
vision wanted to promote its business- 
oriented products on the Web site, but 
other divisions thought that would 
puzzle the company’s core clients: in- 
dividual consumers. “In that situation 
you need a higher authority who can 
make a decision,” Schatsky advises. 


The Cost of Dissension 


Jackie DiGiovanni, vice president 
of marketing and 
munication for U.S. 
Pensions at Toronto- 
Manulife Financial 


com- 
’ ) Group 
EF based 
Corp., 
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Pieces of Web Pie 


Web funding sources, by department 


Marketing: 
26% 


Sales: 
7% 
Finance: 
5% 


Other: 
8% —_~® 
Customer service: 4% 


Base for both: 254 IT decision-makers 


SOURCE: JUPITER RESEARCH, NEW YORK, 2004 


knows how costly those debates can 
be. When her division redesigned its 
Web site last year, the internal audit 
department wanted last-minute 
changes to the security features. Other 
departments disagreed with the pro- 
posal to assign new numbers and ac- 
cess codes to the 1.2 million partici- 
pants who would use the site, but audit 
got its way, DiGiovanni says. 

The change was a disaster, prompt- 
ing frustrated plan sponsors and par- 
ticipants to bombard Manulife’s cus- 
tomer service department with calls. 

“What internal audit wanted ideally 
was not workable in the real world,” Di- 
Giovanni says. Manulife spent $500,000 
and six months resolving the problem. 


Now she tells team members to bring | 


such disagreements to the attention of 
the next level of management. “We're 

more aware of needing to identify the 

conflicts and take more to the steering 
committee and let it get hashed out at 

that level,” she says. 

Web steering committees are typical 
at more sophisticated companies, 
Schatsky says. A financial institution, for 
example, might have leaders from IT, the 
mortgage unit, the credit card division 
and customer service on the committee, 
with the chairman reporting to a se- 
nior executive. 

But Rick Swanborg, president of 








Icex Inc., a research and content man- 
agement firm in Boston, says simply 


| forming a steering committee isn’t 


enough. “The companies that have 


| done a better job at it have really put to- 
| gether a specialized group with people 
| from IT, marketing [and] maybe some 

| people from human resources who can 


think through the best way to build the 


| corporate Web site,” Swanborg says. 


He suggests that a company form an 
entity that’s focused only on the Web 


| site and that holds ultimate responsi- 
| bility and authority. 


Jupiter Research’s report recom- 


mends appointing “a single executive 
| with responsibility for maximizing the 
| value of the company’s Web site over- 
| all.” That executive’s job would be to 
| make sure decisions support the whole 
| company’s objectives rather than the 
| goals of an individual department. 


Companies also need to define a pri- 


mary, high-level purpose for their sites. | 
| “We've heard it many times: ‘This is 


“It’s crucial to getting to the next step,” 


| which is to maximize the Web site’s re- 
| turn on investment, Schatsky explains. 


When developing its initial site in 


| 2001, New York-based Verizon Com- 


munications Inc. defined it first as a 
single door to the corporation and sec- 


| ond as customer-focused, says Maria 


Malicka, executive director of e-com- 
merce and call management. “We 
gained alignment around that, so we 
didn’t experience infighting or major 
disagreements,” she explains. 
Verizon also instituted an e-com- 


| merce council of vice presidents and 


directors to address corporate-level 
questions and develop high-level 
strategies for the site. And the compa- 
ny has stakeholder forums, so leaders 
from different departments can hear 
and weigh in on proposed Web site 
changes. “Everyone was at the table 
from the beginning,” Malicka says. 
These steps haven’t eliminated all 
debates about the Web site, she says. 
But they’re crucial to resolving depart- 


| mental conflicts so that the outcomes 


are best for the company. 
“We are all in alignment on its goals, 
and if there are any disagreements, we 


| have forums for discussion and negoti- 
| ations. And when we focus on goals 
| and customers, we don’t have any is- 


sues that we can’t resolve,” she says. 


A Clear Strategy 

Randy Gravlin, president of Business 
Innovation Inc., a technology consult- 
ing firm with offices in Woburn, Mass., 
and Montreal, says that without a clear 
strategy, companies end up with “clus- 
ters” such as IT, business and market- 
ing that ultimately have to come to- 





First Among Equals 


Companies often put functionality or time 
to market first when it comes to their cor- 
porate Web sites, but they should put se- 
curity at the top of the list, says Jonathan 
G. Gossels, president of SystemExperts 
Corp., a Sudbury, Mass.-based provider of 
network security consulting services with 
nine offices throughout the U.S. 

That means the security team must 
rank as a major stakeholder as sites are 
built and revised. 

“Security should be part of the overall 
plan. That's early; that’s before anything 
has been written,” Gossels says. 

Companies should have guiding princi- 


' ples when it comes to IT security, and 


www.computerworld.com 


those principles must apply to Web sites, 
says Bala lyer, an assistant professor in the 
information systems department at Boston 
University’s Schoo! of Management. 

Without those guiding principles, com- 
panies “could drop the ball on security” as 
they build their Web systems, lyer says. 
Still, he believes many companies push 
security down on their list of priorities. 

Gossels recommends that companies 
empower workers “to blow the whistie 
when something isn’t being built securely. 
The ownership of securing the firm is 
shared by everybody in the firm. Every- 
body's reputation suffers if the cargo goes 
out without shutting the door.” 

~- Mary K. Pratt 


gether to build a successful Web site. 


going to be very hard. How do you 
bring these groups together to build a 
consensus?’ But it is doable,” he says. 

Business Innovation worked with 
St. Louis-based Upbeat Inc. when the 
company spent nearly $1 million re- 
vising its Web site earlier this year. 

Carla M. Russo, Upbeat’s vice presi- 
dent of material management and MIS, 
says the site was reworked to integrate 
it with back-office functions, collect 
better data and drive more traffic. 

The marketing department at Up- 


Reaching Consensus 


Web site operations are a never-ending 
series of upgrades and revisions, a proc- 
ess that invites input from every depart- 
ment under the sun. 

Despite the various and sometimes 
conflicting orders that IT might receive 
from these stakeholders, experts say con- 
sensus is achievable. Here's how: 


® Define a high-level, primary pur- 
pose for your corporate Web site. 
This will help guide decisions and serve as 
a reference point for resolving conflicts. 


= Name an entity - an individual, a 
steering committee or a new depart- 
ment - responsible for mapping the com- 
pany’s overall strategic objectives onto the 
Web channel and resolving conflicts. 


= Invest in personnel who under- 
stand both marketing and technology, 
the two divisions most likely to dominate 
corporate Web site planning. 





beat, which manufactures and markets 
indoor and outdoor products for busi- 
ness and government properties, con- 


| trolled the Web site prior to its re- 


design, Russo says. But marketing also 
oversaw the production of 5 million 
catalogs annually, and the Web site 
had to compete for limited resources. 
Sometimes that meant Russo and the 


| webmaster were overruled. 


Russo remembers one instance 
where she pushed for photos to corre- 
spond with each item available for sale 
on the site, arguing that customers 
want to see exactly what they’re buy- 
ing. Marketing said no, citing limited 


| time and resources. 


But with the redesign, Upbeat’s CEO 
agreed with Russo and ordered new 
photos. Russo sees this as one sign of 
the company’s new focus on the Web. 

“Prior to this redesign, the Web was 
there, but I don’t know if anyone was 


| really treating it as a channel,” she says. 


There was no clear marketing plan, 
and there were no specific goals. “No- 
body was really driving it,” Russo says. 
Russo now sees IT and marketing as 
having more equal standing, which 


| means better decisions for the compa- 


ny overall. Upbeat even plans to add a 
new position staffed by someone who 
has both a tech background and mar- 
keting know-how to help bridge the 
two departments that run its site. 
“Unlike other channels that can be 
owned by one department, the Web 
site is a unique animal. It just plays too 
interactively into other areas,” she says. 
“It’s the one channel where there has 
to be a clear collaboration.” @ 48696 
Pratt is a freelance writer in Waltham, Mass. 
Contact her at markmary@mindspring.com. 
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ROJECT MANAGEMENT 
experts will tell you that IT 
departments are doing a 
better job than they used 
to in delivering big proj- 
ects on time and within budget. But 
shift the discussion to smaller projects 
— those valued at $250,000 or less — 
and their confidence starts to dwindle. 
“There’s a gap when it comes to small 
projects and the due diligence that 
should be applied to them,” says Margo 
Visitacion, an analyst at Cambridge, 
Mass.-based Forrester Research Inc. 
With small projects, IT project man- 
agers often spend less time on critical 





areas such as testing and quality assur- 
ance, says Visitacion. And even if IT 
departments have fairly mature project 
management disciplines in place, “they 
apply the practices, but the rigor goes 
down,” she says. 

Other tasks that IT managers tend 
to downplay on small projects include 
documenting the business objectives, 
defining requirements and managing 
changes, consultants say. 

While individual small projects may 
seem less significant, they add up. This 
year, for example, the U.S. Food and 
Drug Administration has 28 projects it 
defines as “major” on tap that cost at 





least $5 million per year or $20 million 
over the life of the project. But the 50 
to 60 “nonmajor” projects in the pipe- 
line this year represent $40 million of 
the agency’s $200 million IT project 
budget, says Rod Bond, director of 
strategy and planning at the FDA in 
Rockville, Md. 


What to Keep 


Project managers understand that they 

can be more flexible with small proj- 

ects but critical requirements remain. 
At Capital One Financial Corp., 

effective small-project management 

starts with defining the criteria for 

a small project — those valued at 


$50,000 or less — and establishing a set | 


of requirements that have to be met. 
For instance, the manager of a small 
project at McLean, Va.-based Capital 
One will place greater emphasis on 
how changes directly affect end users 
and focus less on technical change 
management issues, says Ray Frigo, 
vice president of corporate technology 
management at the credit card issuer. 


livery approach three years ago, Capi- 
tal One has scaled back documentation 
requirements for smaller projects so 
they don’t become too cumbersome to 


| manage, says Frigo. The tailored small- 


project methodology has helped the 
company complete projects 10% to 15% 
faster this year, he says. 

The FDA uses IT portfolio manage- 
ment software from Portland, Ore.- 
based ProSight Inc. to help ensure that 
small projects go through much of the 


rigor that bigger projects do. Project 
| managers design a work breakdown 
| schedule and a budget plan for each 


phase of every project, says Bond. 


What to Drop 


But other big-project requirements, 


| such as documenting each step, can be 


waived. “For a $25,000 project, you'd 
spend more time documenting than 
you would building,” Bond explains. 
At Russell/Mellon Analytical Ser- 
vices LLC, managers prioritize and 
rank projects of all sizes with the help 
of a project management office (PMO) 
that was created four years ago, says 
Tammy Reuter, manager of strategic 


| initiatives at the Tacoma, Wash.- 


based provider of investment 
analysis services. 
The PMO mandates that project 


| managers develop a business case for 


each effort, regardless of size. “We 
want to make sure that the smaller 
projects we pick are the most critical,” 
says Reuter, whose group uses portfo- 


| lio management software from Belle- 
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Establish criteria for small proj- 
ects, including duration and dollar 
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Monitor projects, even if it’s done 
via e-mail or spreadsheets. 


Consider setting aside a budget 
specifically for small projects so 
that project sponsors don’t have to 
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vue, Wash.-based Pacific Edge Soft- 
| ware Inc. 


But certain efforts don’t meet the 


| threshold for project rigor. For exam- 
ple, if the company has a $20,000 soft- 
| ware enhancement to complete, “we 
Since it began refining its project de- | 
| other than determining which tweaks 
| will be done first,” Reuter says. 


don’t do much management of that 


A business case also has to be made 
for projects of all sizes at Brown Broth- 
ers Harriman & Co., a private bank in 
New York. The difference is that a 


| smaller project might not require the 


same amount of detail. “Maybe a two- 
page business-requirement document 
instead of a 50-page document,” says 


| Rick Berk, the bank’s CIO. 


The bank’s senior management 


| monitors all projects using a combina- 
| tion of weekly and monthly reports 





| developed with portfolio management 
| software from Redwood City, Calif.- 
| based Niku Corp. 


Large projects still command more 
quality assurance staffers than small 


| projects, Berk says. But to ensure that 
| smaller projects are held to a consis- 

| tent standard, the bank’s IT staff has 

| written test scripts for them. That en- 
| ables the bank to perform faster and 

| more automated regression testing 

| that’s “less of a burden for smaller 

| projects,” says Berk. 


IT shops vary in their approach to 
small projects, but Forrester’s Visita- 


| cion says smart project managers 
| agree on one thing: “You can scale 


down the rigor, but you can’t throw 


| away the requirements.” @ 48650 


CHECKING OUT CMM 


CMM: The Capability Maturity Mode! can add rigor 


| to projects of any size: 


QuickLink 48652 
www.computerworld.com 
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ry > Commonwealth of 
Kentucky 


What is a database administrator? 
Someone who maintains and supports 
the database engine. In database ad- 





ministration, there are the people on 
the design and architecting of the data- 
base — the logical side — and then 
there’s the physical component, where 
we take the logical and make it into the 
physical and administer the database 
after it’s up and running. The area that 
I manage is more on the production 
and physical side of database support. 


What is the most important contribution 
you make, and how do you make it? Our 
most important contribution is to keep 
the database running. It’s an on-call 
function; you never know what might 
happen. Half the branch was up all 
night last night restoring a database be- 
cause of a failure. Data recovery is very 
important, and so is performance tun- 
ing and problem solving. In IT, you tend 
to start at the back end and work out to 
see where the problem lies, so general- 
ly, we’re one of the first areas that will 
be contacted when a problem occurs. 


What is the most important IT skill or 
aptitude you need to do your job? We 
need to understand how the database 
engine works. We need to understand 
the technical components of the appli- | 
cation environment, the processes 
within the environment andthe rela- | 
tionships of all the people surrounding | 
the environment. There’s science, but | 
there’s art as well. | 
What is the most important “soft” skill or 
personality characteristic you need todo | 
your job? We have to be good sounding | 
boards. We have to help others identify 
and solve their own problems. They tell 
us what they think is wrong, but we have 
to get them to see outside of where they 
think the problem is, because if they 
really knew, they wouldn’t be talking to 
us in the first place. A good database 
administrator has to see the relation- 
ships among the technology pieces, the 
people, the systems. We have to see the 
bigger picture and relate it. Sometimes 
we have to take a very technical piece |! 


Of 
ae 


The Thrill 


C : i 
DBAs are often the 


last to be involved in 
planning but the first to 


be called when things go wrong. 
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and translate it to people at all levels of | 


| technical knowledge. That’s hard to do. | 


What is the biggest misconception about 
| what you do? We're a very tactical 
| group — we have to be. But there’s a 


strategic part of what we do so we can 


| apply the tactical parts appropriately. 


For example, a developer says, “Create 
these tables.” But for us to really do a 
good job, we need to know why. We 
need to know how and when those 


tables are going to be accessed. We 
need to understand the system so we 
can apply appropriate security. We also 
have to understand what type of data 
recovery scenarios we need to address, 
how and when to do the backups and 
where they will be stored. And we 
need to go through all types of scenar- 


ios to adequately recover that database. 


What do you like best about your job? The 
people we work with. The systems peo- 





ple, developers — they’re all problem 
solvers. They’re all smart, creative IT 
people. And being in support, a crisis is 
always just around the corner. I like the 
thrill of the crisis. I like being put on the 
spot to find a way to solve a problem. 


| What do you like least? I don’t like to 


take care of problems that, if I'd gotten 


| enough information upfront or the 


right information, we could have dealt 


| with it then. I don’t like to put some- 


thing in production and then have to 
fix it because future possibilities hadn’t 


| been considered. 


What should IT people know about your 
role? Today’s developers have data- 
bases on their desktops, so they think 
they’re mini-DBAs. When we get in- 
volved, it’s always after the implemen- 
tation. Lots of issues could have been 
addressed if we had been involved ear- 


| lier in the development process. Also, 
| we do have a recovery role, and we 


should be asked about the recovery 
possibilities when a database goes 


| down. IT people sometimes think they 


know how to recover, so generally we 
get brought into it because they have 
recovered incorrectly. 


| What should business people know about 
| your role? Business people think IT 


can do anything, but they need to know 
that there is a cost associated, and 


| sometimes the cost is too high to im- 
| plement certain features. There are 
| still priorities you have to set. 


| What would enable you to do your job 


better? Having more database tools 


| and early interaction during the devel- 
| Opment process. 


| If you were not a data architect, what 
| would you be? A detective. Trying to 


dig information out of people, the abili- 
ty to look at disparate pieces of infor- 
mation and apply them appropriately 
to determine how an event happened 
— you have to be a little bit of a detec- 
tive as a DBA. 


How does the future look for your role? 
I think of us as the hub. The business 


| user, the developer, the operations per- 
| son, the systems person — they all re- 
| late to the database in some way. Our 


job changes slightly with new technol- 
ogy, but I think a DBA will be a very, 
very important role for years to come. 
And besides, everybody needs some- 
one to point the finger at. @ 48695 





| Interview by Kathleen Melymuka. 


Rue can be contacted at gary.rue@ky.gov. 
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Recent man- 
agement books | 
provide tips 

on IT gover- 
nance, ClO 
survival, agile 
project man- 
agement and 
understanding 
hackers. 


| entists at the C 


| IT Governance: How Top 
| Performers Manage IT 


Decision Rights for Superior 
Resuits, by Peter Weill and Jeanne 
W. Ross (Harvard Business School 


| Press, 2004; 269 pages, $35). 

| IT governance is a pressing 

| issue these days, particularly 
since technology 

| spending accounts for 
| up to half of all capital 
| expenditures at many 
| companies. But few 

| managers can accu- 


rately describe IT governance 


| within their companies, much 

| less quantify the impact of 

| good governance on their bot- 
tom lines. 


Weill and Ross, research sci- | 
Center for Infor- 
mation Systems Research at 
MIT’s Sloan School of Man- 
agement, do just that and 
more. For in- 
stance, a CISR 
study of 256 
global compa- 
nies reveals that 
the profits of 
companies with 
top-notch IT 
governance 
practices are 
20% higher than 
those of compa- 
nies with poor 
IT governance. 
More impor- 
it, the authors 
jroughly de- 
ibe what IT 
Dvernance is, 
lassify the ap- 
F proaches used to 
govern IT and 
offer advice on 


BOOK 8A 
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how to set up an 


IT governance committee. 
While the authors acknowl- 
edge that there is no one-size- 
fits-all approach to effective 
IT governance, their research 
finds that companies that are 
focused on either profits or 
growth tend to have similar 
governance models. 
The book is aimed 
at for-profit compa- 
nies, but it has a chap- 
ter devoted to govern- 
ment agencies and 


| not-for-profits. This is highly 


recommended reading for 
anyone who’s struggling with 


| these issues. 
| Agile Project Management: 


| Creating Innovative Products, 
| by Jim Highsmith (Addison-Wesley, 


2004: 277 pages, $34.95). Al- 


| though agile software devel- 
| opment has been practiced 
| for several years, many com- 
| panies continue to be ham- 


pered by process-laden, top- 


| down project management 
| approaches. Enter agile proj- 
| ect management, a more 


responsive and flexible ap- 


| proach to project manage- 

| ment. This approach places 
| more authority in the hands of | 
| project leaders and line work- 


ers who are doing the execut- 
ing while concentrating on de- 


| livering customer value. 


Don’t assume that agile 


| project management is “PM 


lite.” In Highsmith’s view, 
agile project management 
doesn’t dismiss the impor- 


| tance of effective quality as- 


surance, documentation or 
testing, but it does de-empha- 


size them as core principles. 
Instead, Highsmith effec- 
tively cites forward-thinking 
project management princi- 
ples that have been espoused 
by his peers and pulls them 
into a cohesive, usable ap- 
proach. He also goes to great 
lengths to explore the single 
most critical component of ef- 


| fective project management: 


people. 


CIO Survival Guide: The 
Roles and Responsibilities of 
the Chief Information Officer 
by Karl D. Schubert (John Wiley & 
Sons, 2004; 294 pages, $45). This 


| up-to-date how-to book is 


useful for seasoned CIOs as 
well as newcomers who have 
recently transitioned into 
the role. 

Schubert, a former chief 
technical officer at Dell Inc. 
who’s currently chief operat- 
ing officer at network storage 


| provider Zambeel Inc., offers 


readers a logical approach to 
the CIO’s role and challenges, 
including tips on building re- 
lationships with company ex- 
ecutives, business partners 
and other key constituents 
Particularly useful are check- 


| WORE REVIEWS 


lists such as “Ten Questions 
the CIO Must Ask the CEO.” 
Schubert’s work draws upon 
insights from several leading 
management gurus, including 
Harvard Business School’s 
Clayton M. Christensen and 
John Seely Brown. This book 


as a good read for any CIO 
= who's trying to thrive or sim- 


ply survive. 


Know Your Enemy: Learning 
About Security Threats 

by The Honeynet Project (Addison- 
Wesley, 2004: 768 pages, $49.99) 
Founded in October 1999, 
The Honeynet Project (www. 
honeynet.org) is a nonprofit 
research organization of secu- 
rity professionals who built a 
computer network, wired it 
with sensors, put it up on the 
Internet and recorded what 


—_ 


happened. (The actual IP ad- 
dress isn’t published and 
changes regularly.) Hackers’ 
activities are recorded as they 
occur: how they try to break 
in, when they’re successful 
and what they do once they 
break in. 

This is a fairly technical read 
with quite a bit of information 
about how honeynets work and 
what goes into both Unix and 
Windows computer forensics. 
But the authors also provide a 
detailed sociological analysis 
of the white-hat and black-hat 
hacker communities, includ- 
ing an extensive examination 
of their motives. @ 48699 


— Thomas Hoffman 


Check out previous book reviews on 
our Web site: 


e QuickLink 22240 
www.computerworld.com 





' 38 COMPUTERWORLD August 30, 2004 


Ma 


CXO Names CTO 


ALOK BATRA has been named 
chief technology officer at CXO 
Systems in Waltham, Mass. In his 
previous role as vice president of | 
engineering, Batra led the devel- | 
opment of the company’s man- 
agement dashboard products. He 
co-founded Dashboard Systems, 
which is now CXO Systems. 


Transplace Picks 
Cashman for CTO 


ROY CASHMAN has joined Trans- 
place Inc. as CTO. Plano, Texas- 
based Transplace is a transporta- | 
tion logistics management pro- 
vider. Previously, Cashman was 
ClO at Ruan Transportation Man- 
agement Systems. 


Carver to Head IT 
Unit at Dana Corp. 


BRUCE C. CARVER is now CIO at 
Dana Corp., an automotive prod- 
ucts manufacturer in Toledo, 
Ohio. Previously, Carver was divi- 
sion ClO for PepsiCo Beverages 
and Foods, a unit of PepsiCo Inc., 
and CIO at The Reynolds and 
Reynolds Co., a provider of auto- 
motive software. 


Certoma to Lead IT | 
At Wachovia Unit 


SUSAN CERTOMA has joined Char- 
lotte N.C.-based Wachovia Corp. 

as CIO of the company’s corpo- 

rate and investment bank. Previ- 
ously, she was a vice president in | 
the global sales technology orga- | 
nization at Goldman Sachs & Co. | 


Holeman Moves 
To Sentient Jet 


DAVID HOLEMAN has been named 
vice president of IT at Sentient Jet | 
inc., a Norwell, Mass.-based pri- | 
vate jet service. Holeman will be 
responsible for specialty technol- 
ogy as well as for CRM and call 
center technology. He was previ- 
ously CIO at Monitor Group in 
Cambridge, Mass. 
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Intelligent 
Disobedience 


ISCUSSIONS with project managers about 
the key causes of failed and challenged proj- 
ects always raise two primary issues: half- 
baked or harebrained ideas becoming proj- 
ects, and excessive scope creep. 
Traditionally, senior management is charged with 
conceiving ideas that will drive the organization to- 


ward profitability and in- 
dustry leadership. Hence, 
there is immense pressure 
on executives to deliver in- 
novative ideas that can be 
turned into products and 
services for profit and 
competitive advantage. Un- 
fortunately, these visions 
are often intertwined with 
any number of half-baked 
and, at times, harebrained 
ideas. When half-baked 
and harebrained ideas get 
communicated to them, 
many project managers 
don’t object because of a 
culture of not questioning 
the senior people. The gen- . 
eral thinking is, “How could they be 
wrong?” 

Another big contributor to failed 
and challenged projects is the in- 
evitable scope creep. We all know that 
at times customers can be unreason- 
able and unrealistic in their expecta- 
tions, but they’re also subject to exter- 
nal pressures they can’t control — 
government regulations, competitive 
positioning, emerging opportunities 
and the classic “silver bullet” syn- 
drome, also known as Management by 
Magazine. (This occurs when the cus- 
tomer reads an article on an airplane 
while 35,000 feet over Kansas and 
forms a new vision.) 

But forcing the team to agree to 
continuous scope creep is clearly not 
the solution. And you get hit with a 
double whammy when projects are 
built around half-baked ideas. A half- 


baked idea that turns into a 
project with extensive 
scope creep is a nightmare. 

What can project man- 
agers do to minimize these 
problems? Simply stated: 
Learn to say no. 

Of course, project man- 
agers may feel that they 
don’t have the ability or 
wherewithal to say no and 
that their only option is to 
do as they’re told, even 
though they know that the 
outcome may harm the or- 
ganization. This begrudg- 
ing compliance is an unfor- 
tunate attitude in any cir- 
cumstance. In the extreme 

| case, it can lead to disasier. 

| This is where the concept of intelli- 
| gent disobedience comes into play. In- 
| telligent disobedience is a trait clearly 
illustrated by guide dogs for the blind: 
At an intersection, based on traffic 
sounds and a general sense of safety, 
the blind person initiates the move to 
cross the street, giving a signal to the 

| dog. If traffic is blocking the cross- 
walk, however, the guide dog will dis- 
obey the move-forward command. In 
guide-dog training lingo, intelligent 
disobedience is the dog’s response 
when it senses that the path ahead is 
dangerous. It disobeys even though 
the owner wants to proceed. 

Now consider a different scenario: 
The dog disobeys the owner’s com- 
mand because it sees traffic blocking 
| the intersection. The dog’s owner pun- 
ishes the dog for its disobedience until 








| the dog finally proceeds. You can 


imagine the consequences. 

It’s important to note that dog own- 
ers are trained to trust their guide 
dogs because the two have to work as 
a team for the protection and safety of 
the owner. 

The essence of the intelligent disobe- 
dience behavior as it applies to project 
managers is to say a firm “no” to the 
demands of executives and customers 


| when such demands will put the proj- 


ect, and hence the organization, in 


| harm’s way. Humans are supposed to 


be smarter than dogs, but it’s amazing 
how difficult it is to teach humans to 
exercise intelligent disobedience. 
Intelligent disobedience requires 
empowerment and trust. It’s important 
that project managers be well trained 


| in reading the danger signals and em- 


powered to push back when they be- 
lieve that a proposed project will put 
the organization in harm’s way or that 
the requested scope creep will create 
undue risk. Project sponsors and cus- 
tomers have to learn to trust their 
project managers to do the right thing. 

Unfortunately, project managers 
can’t change the culture on their own 
because many lack the political chips 
and the skiil to negotiate with over- 
bearing executives and unreasonable 
customers. They need the sponsor’s 
help and support. 

For intelligent disobedience to be- 
come accepted, sponsors must work to 
establish an environment of open and 
forthright communication with trust 
and respect for their project managers. 

Whether project managers react 
with intelligent disobedience or be- 
grudging compliance largely depends 
on the organization’s culture. Are proj- 


ect managers in your organization en- 


couraged to practice intelligent dis- 
obedience? © 48678 
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Got Questions About 
Network Consolidation? 


Computerworld’s IT Executive Summit Has the Answers 


If you’re an IT executive* in an end-user 
organization, apply to attend Computerworld’s 
upcoming complimentary half-day summit 
on Network Cor tic 


ClOs and senior IT executives are finding 

that consolidating high-performance networks 
can play a key role in improving business 
application performance while significantly 
reducing operational costs. 


The proliferation of network capacity and 
related storage and server infrastructure 
presents a daunting challenge for today’s 
enterprises, many of which are positioning 
themselves for growth yet still seeking to 
reduce IT costs where feasible. 


By leveraging the knowledge of industry 
experts and the real-world experience and 
advice of your IT peers, this IT Executive 
Summit will provide an overview of effective 
strategies for consolidating and connecting 
networks and data center applications. 
*Complimentary registration is restricted to 


qualified IT executives only. 


Apply for registration today 
For more information or to apply, visit 


Streamlining Networks and Data Centers: 
The Business Benefits of Consolidation 


Dallas * September 22, 2004 


Renaissance Da 


3 © 2222 Stemmons Freeway * G 


7:30am to 8:00arr Registration and Networking Breakfast 


8:00am to 8:1 


Rebuilding the IT Foundation 


8:15a 


Consolidation and the Data Center: 
Boosting Business Performance 
and Application Availability 


User Case Study — Hilton Hotels: 
Considering the Next Generation Network 


User Case Study — MasterCard International 


Refreshment and Networking Break 
Infrastructure Makeover: 

Moving the U.S. Air Force Toward 
Network-Centric Services Delivery 


Customer Challenges and Solutions: 
Real-Life Scenarios Connecting Data 
Centers Over Distance 


Panel: Overcoming Management Barriers — 
Making the Case for Consolidation 


Exclusively sponsored by 


CIENA} 
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| Selected 
| speakers 
| include 


| Maryfran Johnson 
| Editor in Chief, 


Computerworld 


| Brigadier General 


Brad Butler 


| Deputy Chief 
} Information Officer 


U.S. Air Force 


Jerry McElhatton 


} Senior Executive 


Vice President, 


} Global Technology 


and Operations, 
MasterCard 
International 


Damien Bean 
Vice President, 
Corporate Systems, 
Hilton Hotels 


Steve Adolph 
CTO, Enterprise 
Solutions Group, 
CIENA 
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iT PROFESSIONALS 
Senior Manager, Strategy and Operations 


(Glen Mills, Pennsylvania and other locations through the U.S.). Lead 
sales pursuits and execution of re-engineering projects from conception 
to final delivery in the area of strategy and operations as well as supply 
chain and procurement assignments for clients. Responsible for industry 
and client financial and strategic analysis, modeling and business case 
development. Responsible for New Product Development Stage Gate 
Processes, strategic procurement and sourcing, advertising effective- 
ness, SAP Process design and configuration and Trade Promotion 
Management within the Consumer Business industry. Manage perfor- 
mance of projects including identification of issues, root-cause analyses, 
the structuring of solution frameworks, financial analysis and modeling 
and data analysis. Lead vendor discussions and negotiations, and act as 
the primary interface with senior client executives. Supervise client 
change management programs, including enterprise-level constructive 
communications. Responsible for recruitment of engagement teams. 
supervising Consultants at various levels, providing direction to the team 
and providing feedback on their performance. Responsible for systems 
selection and implementation, including ERP, e-sourcing and new product 
development. Create tools, frameworks and methodologies to develop 
intellectual capital. Responsible for trade promotions management includ- 
ng best practices and supporting technology. 


The wage offered is $135,000 per year. The work schedule is Monday- 
Friday, 9:00 am to 5:00 pm. The minimum requirements are as follows 
Bachelor's degree in Business Administration, Operations, Finance or 
Management + 7 years of experience in the job offered or 7 years of expe- 
rience as a Senior Manager, Manager, Senior Consultant, Consultant, 
Account Director, Account Manager, Account Executive or related occu- 
pation. Employer will regard a foreign degree to be equivalent to a US 
Bachelor's degree as determined by an accredited academic credentials 
evaluation service. Related experience must include at least 2 years with 
Sales and Merchandising Strategy in account management, SAP process 
design and configuration, Trade Promotion Management, and New 
Product Development, including experience with the Stage-Gate process 
Strategic sourcing and project management with consumer product and 
retail industry segments as well as Consumer Business Strategy and 
Operations. 


Please send your resume, referencing Job Order Number WEB448386 to 
the: PA Careerlink, FLC Unit, 235 W. Chelten Avenue, Philadelphia, PA 
19144, EOE 


IT PROFESSIONALS 
Senior Consultant 


(Glen Mills, Pennsylvania and other locations through the U.S.). Perform 
accurate analysis and effective diagnosis of client issues and manage 
day-to-day client relationships and project teams. Responsible for assist- 
ing client organizations in developing roadmaps to establish customer 
analytics environment and support business growth. Evaluate the existing 
customer care processes including Siebel implementations for telecom- 
munications industry clients and define, develop and deliver training pro- 
grams to enhance user acceptance. Perform business process reengi- 
neering, strategic planning and knowledge management related to devel- 
opment and implementation of new business and system processes. 
Define systems strategy, develop system requirements, administer testing 
and training, and define support procedures for systems including CRM 
systems (Siebel), and application portal (Broadvision). Identify and evalu- 
ate control structures, especiaily for iT-enabled processes. This includes 
identification of inadequate practices, testing of control systems, recom- 
mending measures for improvement, and establishing plans for ongoing 
monitoring. Actively evaluate client's systems in relation to the competitive 
landscape, identify efficiency frontier and develop reinforcing activities 
and capabilities for sustainable competitive advantage 


The wage offered is $95,000 per year. The work schedule is Monday- 
Friday, 9:00 am to 5:00 pm. The minimum requirements are as follows 
Bachelor's degree in Computer Science, Engineering (any), Management 
Information Systems or Business Administration + 2 years of experience 
in the job offered or 2 years of experience as a Senior Consultant, 
Consultant, Systems Analyst or related occupation. Related experience’ 
must include at least two years of consulting experience in the telecom- 
munications industry with at least one year of CRM Systems knowledge 
including Siebel development and Broadvision. Please send your resume. 
referencing Job Order Number WEB448348 to the: PA Careerlink, FLC 
Unit, 235 W. Chelten Avenue, Philadelphia, PA 19144. EOE 


Recognition Algorithms Dev SENIOR SOFTWARE ENGI- 
neer - Recognition problem NEER. Responsible for design of 
classification w/respect to real- back end products (Service 


fe images & analysis of system Monitor) used by company's 


requirements. Mathematical for- 

malization of specific recognition 

problems using Probability 

hi Neural Networks 

t Recognition & 

astroke Theory. Develop- 

it of program architecture & 

ces. Development of algo- 

Statistical data analy- 

processing algo- 

hm & SW develop- 

ment for field location on forms. 

form removal, document struc- 

analysis, phrase & word 

entation. Implementation 

rithms using C/C++ & 

r in actual recognition 

uning & customiza- 

recognition products for 

data sets. Optimization 

rt & improvement of the 

or Win & UNIX platforms. 

mp Sci or related field + 

knowledge of Algo- 

development & imple- 

tation; Probability Theory 

cs, Neural Networks and 

troke Theory, Document 

analysis for handwriting recogni- 

C++ & Assembler. $70k 

40 hrs/wk. Boulder, CO 

Must have proof of legal author 

ity to work permanently in U.S 

Application by resume only to 

Workforce Development Prog 

rams, PO Box 46547, Denver. 

co 80202 Ref job# 
C05088878 


major products. Design XML/COM 
property set based communication 
architecture between back end 
and high level front ends using 
Visual Basic script. Design silent 
script based setup program for 
remote deployment. Design 
libraries, programming tools and 
unit testing tools for Service 
Monitor programming environ 
ments. Supply samples and pro- 
gramming guidelines. Responsible 
for technical lead and training 
with Microsoft technologies, Visual 
Basic and Visual C++ multitier 
applications using WIN32, ATL 
COM COM+ and NET. 
Responsible for WIN32 and COM 
design and programming techni- 
cal support. 40 hrs/wk. Bachelors 
degree in Computer Science. 4 
yfs. exp. in job offered or 4 yrs 
related exp. in software engineer- 
ing and/or consulting 
$107 ,008/yr. Apply at the nearest 
Employment Security Commission 
office of North Carolina or submit 
resume to Employment Security 
Commission, 742-F East Chatham 
Street, Cary, NC 27511. J.O. # 
NC5705907 and DOT code 
030.062-010. All resumes must 
include applicant's Social 
Security Number. AD paid by 
an Equal Opportunity Employer. 


Seeking qualified applicants for 
the following positions in Mem- 


applications systems require- 
ments, testing and controls 
Requirements: Bachelor's de- 
gree or equivalent* in business 
computer science, engineering, 
mathematics, MIS or related 
field, plus 5 years of experience 
in systems planning and design 
or systems development and int- 
egration. Experience with main- 
frame systems support, invoic- 
ing/revenue testing, and writing 
and executing test plans and 
test scripts also required. “Mas- 
ter's degree in appropriate field 
will offset 2 years of general 
experience. Submit resumes to 
David Hanks, Federal Express 
Corporation, 3680 Hacks Cross 
Road, Bidg H, 1st Floor, Mem- 
phis, TN 38125. EOE M/F/D/V. 


Oracle Clinical Consultant to 
plan, design study in Oracle 
Clinical 4.0; develop DCMs, 
remote data entry screens, DCis 
etc; design, develop validation 
procedures using PL/SQL in 
Oracle Clinical's validation mod- 
ule; develop SAS, SQL views 
using TOAD, SAS, Oracle Clin- 
ical; perform CRF designing 
database building, randomiza- 
tion, query resolution, reporting, 
subject randomization algo- 
rithms using Oracle Clinical 
Normiab, SAS, SPSS, Adobe 
Framemaker. Require: MS in 
CS, Computer Engg or Statistics 
and 6 months exp in Oracle Clin- 
ical, SAS. Competitive salary, 
F/T, travel involved. Resumes 
to: Scott Bryant, Judge Tech- 
nical Services, Inc. 3 Davol 
Square, Suite 3A, Providence 
RI 02903 


COMPUTER 


T&T Solutions seeks 
Software Engineers, Sr. 
Software Engineers, 
Systems Analyst, Or- 
acle Apps., technical 
consultants etc. Salary 
commensurate w/edu- 
cation & exp. 

resume to (818) 

1272 or e-mail 


jobs@ttsus.com c/o HR 
Dept. 


SYSTEMS ANALYST 
- Udr. sprvsn. analyze 
usr. telecomm. reqs. 
to install & improve 
syst. Req: BS in CS 
or Comp. Info. Sys. & 
fluency in Japanese & 
English. Resumes: 
Syscom USA, Inc. 55 
Broadway, 17th Floor, 
NY, NY 10006. Attn: 
S. Sato. 


Denso Manufacturing is looking 
for Process Engineer responsi- 
ble for heat exchange process 
introduction (Evaporator area) 
including jig specs, control 
plans, ergonomics, leaks & 
scrap improvement. Min is BS 
with exp in XRD, Unix. Send 
resumes to One Denso Rd 
Battle Creek, Mi 49015. EOE 


K&M Softech is looking for pro- 
grammer/system system, soft- 
ware/project engineers, IT pro- 
fessionals. Both entry & experi- 
enced levels needed. Some 
positions require travel. Skills in 
/++, VB, Oracle, SAP, SQL 
Java are plus. Please send 
resumes to: 


Recruit@kmsoftech.com. EOE 


Systems Analyst Il. BS in 
Comp. Sci. or rel field + 2 
yrs rel exp, incl exp 
w/GAAP principles, insur- 
ance & mortgage business 
concepts & calculations & 
s/ware dvipmt 
Windows or 
Internet platforms. Demon- 
strated oral & written com- 
munication skills. Send 
applications to Te} Dhawan, 
1601 - 48th St., Ste. 220, 
Des Moines, IA 


IT|careers.com 


Software Developer. Under sen- 
ior supervision, analyze, design, 
implement and maintain soft- 
ware for banks in mortgage in- 
dustry including consuiting w/ 
financial projects; design and 
model databases on database: 
servers; and develop new soft- 
ware not currently existing in the 
industry. Must have Bachelor's 
degree in Computer Science, 
MIS or related, 1 year experi- 
ence in job offered or Software 
Engineer or related, and experi- 
ence must include working with 
Java, Eclipse, XML, SWT/Jface, 
UML and Rational Rose. Send 
resume to Praxis Technology 
Group, LLC, Attn: Mark Loomis, 
1500 NW 118th St., Des Moines 
1A 50325. 


In-Venture Soft is seeking IT 
consultants to design & devei- 
op applications for various pro- 
jects. Applicants must have 
BS/MS with solid background 
in Oracle, WebSphere, Java 
EJB, ASP. We offer competitive: 
wage with full benefit. Travel 
maybe required pony at 
resume@ivsine.net. EOE 


RouteOne, a joint venture dev- 
eloped to create a more effi- 
cient automotive finance pro- 
cess for dealers, has openings 
for !T professionals to develop 
Java applications. Qualified 
applicants must have BS/MS 
with IT experience. Please con- 
tact careers@routeone.com 
No calls. EOE 


LOOKING FOR A NEW 


IT CAREER? 
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WWW.ITCAREERS.COM 
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Programmer Analysts to ana- 
yze, design, test 


and maintain software sy 


mplement 


in client server er 
Java, HTML 
Access, etc 


to describe program devel 
ment and Ic 
ffsite mainter 
1g, and code 
Require: BS or fore 
CS/Er } 
witt 
tive salary, F 


Resume to HR. Or 


ologie: r 


platforms 
products & 
onfig retwk'g 
between rovide task 
mgmt. to d-base speciaiists 
q. B.S. in EE mput 
ng, or Math. Must have 
work exp or as a DBA & 
knowledc DB2 internals 
DB2 DD tools, DB2 tun 
ing/design/security/backup & re 
covery as needed 
Send copy of ad w/resume to 
Networking for Future, Inc., Attn 
H. Fatemi, 1420 Spring Hill Rd 
Ste. 600, McLean, VA 22102 


8+ yrs of 


Software Engineer- 
Applications 


Design and di software 
application solutions for the in 
3/financial, tele 
com and IT Industries. Must 
have Masters Degree ir Mp 
ter Science or in a related field & 
2 yrs. exp. or 2yrs. exp. in a 
related position w/ability to use 
JavaScript, Struts, Lynx Frame 
work, and Pro*C. 40.0 hrs./wk 
8:00 AM - 6:00 PM 


vestment bankir 


Applicants send cover letter 
and resume to: Cyber Korp 
Inc. 406 > 
216, Roselle IL 

Attn: HR MGR 


) West Lake 


Sr. Systems Analyst/Project Mgr 
needed to lead analysis of client 
bus. process/acctg. require 
ments for implement. of custom 
ERP s/acctg. software 
Requires degree + exper. & 
Microsoft Navision certification 
Exper. must incl: Gap-fit anal 
reporting; Microsoft C/SIDE pro 
gramming; demonstrated under 
stand. of gen. acctg. proce- 
dures. Based in Santa Monica 
CA - Travel up to 80% to client 
sites in N. CA & S. CA. Send 
resume to: S. Mauser, Special 
ists in Custom Software, 212( 
Colorado Ave., Suite 150, Santa 
Monica, CA 90404. Must be able 
to work without employer spon- 
sorship 


A] 


IT|careers.com 


opment of networking 
Responsible for functional spec 
dev, arch design, implementa 
and verification. MS or for- 
equiv. in EE or CS plus 5 yr. 
ude 3 yr. with 
work protocols 
ARP. DHCP. 


nd firewa’ Must 


ncluding IP. 
DNS. SNMP 
be familiar 


P QOS protec 
and RF A 


ust have dev 


Please send resume 


solutions 
technical 
problems sgn & dvip 
applic s/ware using Unix, C 
C++, Java, Oracle, VB 
UML, TCP/IP & Win NT. 
automation 


to provid 


business & 


dsgn & dvip 
systms on client-server 
architecture apply OO tech- 
niques. Resume to: Global 
Consultants, Attn: Hireme 
8800 Grand Oaks Circle 
Ste 100, Tampa, FL 37 


Support Mgr. Dallas, TX. Man- 
age team of prof. support con 
sultants & provide back end 
support in deployment, installa- 
tion & troubleshooting of Amtrix 
& TSIB aison w/develop 
team in integration, stress & 
f Amtrix & TSIB 
Use Weblogic. Exceed, AMTrix 
& TSIB; Oracle 8i & 9i on Unix 
& WinXX OS. Req: BS 
yr exp AMTrix integra- 
support & 
Resumes to 
Viewlocity, Inc 
3475 Piedmont Road, Suite 
1700, Atlanta, GA 30305 


load testing 


comp 


onfiguratior 
bieshooting 


Williams 


Austin 


Software Developer 


TX. Use S1 corp standard dev 


tools & project method to devel- 
p. install & test solutions tc 
specific user tech & bus. prob- 
lems within context of S1 Bank 
products using Borland Delphi 7 
Req: BS comp sci, engg, or 
related < yrs consultant or 
engg. & knowledge of Delph’ 
java, UML design tools, ISS 
SQL, and ClearCase. Perm US 
workers only ume to N 
Green (TX $1, Inc 3500 
Lenox Rd., Ste 200, Atlanta, GA 
30326 


, / 
Where The Best 
Get Better! 


Www.itcareers.com 
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COMPUTER PRO 
rtunities for 


TEMS/BI 


* WEB ARCHIT 
DEVELOPER 


APHIC 
WORK ENC 

* PROGRAMMER/AN 

+ SOFTWARE ENGIN 


Warehousin 3 
ReportNet, Cr 
Reports: lead 
ysts/engineers 


developmen’ 


neerin 
exp. (3 years 
resumes to Cor 
S, Inc., an MTC 
company, at 


sbinskas@comrr 


software 
++. Compile 
Informix-4GL 
SQL Server, OR Jz 
Serviets, XML, ASP 
Basic, EJB, JavaS 
DHTML 
X OSs; design API 
framework 


under V\ 


up/recovery 
vide on site maintenance st 
port such as debugging, mod 
cations, fine tuning & 
mization. Require: BS or 
S/Engg.(any 

yrs of exp. in F, 
petitive salary. Trave' 
Resumes to: HR 
Technologies, Inc 
comb Bridge Road 
Norcross, GA 30092 


Computer Programmer. 
Analyst wanted by IT 
located in 
Must 


in Computer 


company 
Southfield, Ml 
have B.S 
Science and 1 1/2 years 
exp. Respond to: Atrient 
Technologies, P.O. Box 
250575, West Bloom- 
field, MI 48325 
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social serv 


Represents agency in me 


el] 


Requires 


state and legislative officials 


ir aa ala xperience 


Chief Information Officer 


Requires effe 


and demonstrated expertise supporting 


Tse ator 80 Om AY 


NISYS A149 MCP/ DMSiI 


PP ela Ole le me ae Was ley] 


te 


cc ama cual es) eller lie ra 


design and development, desired 


ert 


gre Tae M-y tease ame 


ON Tele alae (ale Mae amet le) 


Daa) 
ite lite) 


SF 


acc mv ee el 
OR Ue Ccoer comic Camel} 


atte AM latit ert ele a) 


Cements erat ena eer ate oes 


Tale oe igar eS 


es regardir 


elie SMa AT Cie mice acy 


variou: 


ug) 
lop 


CHILDREN 
& FAMILIES 


ne 


al com 


ware 

grams 
develo 
ware fi 


ciency 
jabase 
area. | 


f specializ' y 
alyze user needs ar 
p software solutions. De- 
ftware or customize soft 
lor client use with the airr 
Zz rationa 
Analyze and design da- 
2s with application 
se of Novell, Visual Bas- 
PowerBuilder, Java 


ASP, PL/SQL, SQL, SQL Server 
and Windows NT. Reqs. Mas- 
ters or equivalent in Computer 


Scienc 


Engineering (any field 


ed fielc 


fered o 


“ 


Analys 


e, Computer Engineering 
© relat 
4. Plus 1 year in the job of 
r 1 year in a related occu- 
ncluding Programmer 

t stems Engineer 


Software Engineer. Will accept 


Bache 


€ 


experience 


40/hrs. 


2 


wk 


and refer t 
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COMPUTER 


PROFESSION 


ALS: Radiant Systems, Inc. a 


Nation 
locatec 


Profes: 


wide Technology prov 
J in NJ. CT. TX & FL req 


sionals w/ Hardware &/or 


Software skills 


Java 


JavaScri 


Perl, HTML, >ro*C, VB 


PB, VC++, MF 


SQL, | 


SDK, Gupta 


nformix, Crystal Reports 


Sybase, Dev 2000, LotusNotes 


Unix, WinNT/95/XP. RTOS, Sun 
Help Desk/PC-Su 


AS/40 
MVS 
LoadR 
ASP. 
FDMA 
FRAM 


R/2-R/3, ABAP/4 
PeopleSoft 
COBOLI/CI 

RPG/40( 

unner. 

Active-X. DTM/TDMA 
Routers, DSP/ATM 

IE RELAY, TCP/IP, ISON 


DCOM, COM, PL/1, SAS 


Works 
SNMP, 
BS(c 


and/or 


VHDL, SONET 

HP OpenV. 
Writers Candidates w 
equiv) & 2yrs exp. as P/A 
MS (or equiv) & tyr exp 


as S/E. Travel & reloc., req. to 


anywh 
Excel 
ants@ 
Dept 


ere in USA as assigned 

Benefits. E-Mail: radi- 
radiants.com Attn: H.R 
109-A Corporate Bivd., S 


Plainfield, NJ 07080 


al 


mers 


Submit resume and/or State of Florida employment appli- 


4 cation to 


Jo Moore, Department of Children & Families 


Technology Centre, 1940 North Monroe Street, Suite 80 


Tallahassee, Florida 


September 8, 2004 


IBM MQ Series 
computer 
and fact-findir 


manageme 


wage 
Friday, 8 
Bachelor 
Engineering 


Informatior 


project/tearr 
Sign, im 

engageme 
SQL, Javascr 
skills, Visual £ 
Solaris 
*Employer will 
Bachelor's 
service 


Please ser 


the: PA 
19144. EOE 


IT PROFESSIONALS 
Senior Consultant 


Glen Mills, Pennsylva' 
sible the analysis 
Data Warehouse 

ther related app! 

meet technical rec 

ter recovery Rest 
technical architecture, sy 
Utilize te ical expertise 
cycle, including the plann 
stages. Perform c 3 
performance, and 


n Oracle. Respo 
transferring knowleda 
‘completion of the pr 


Data Wareh 


Business Objects and V 
tool. The wage offered is 


The work schedule is Mon 
are as f 
Science, Engineering 
rience in the job offere 
Consultant, E eer 
eign degree to be equive 
by an accredite 
nciude at lea: r with R 
(Oracle, Informix and Sybase 


AA Employer/Vetera 


32399-0710; FAX (850) 487-8173 
Jo_Moore@DCF State.FL 


US DEADLINE 5 PM 


credentials evaluation service. Related experien: 


nal Database Managemer 
PUSQL, ERWin for data modeli 


Business Objects and Web Intelligence OLAP tool, and Informat 


data extraction, transformation 
referencing Job Order Number WEB447641 to the: PA C 


resume. 


and loading (ETL 


Please send 


link, FLC Unit, 235 W. Chelten Avenue, Philadelphia, PA 19144 
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neering Manager: Job Dut- 
Lead a team of engineers 
hip level testing/verifica- 


offered or 
cal Staff 


Applying 


pro 
eshoot 

design 

plement si Ns; pro- 
ustomer support. Requires 
degree in Computer 
and either 5 years 
e in the job offered or 
experience in develop- 
om applications utilizing 
IMS DB/DC, COBOL 
Salary $63,100/yr, 40 

hrs/week, 8 AM to 5 PM, Mon 
Send resume to Workforce 
ram Support, P.O. Box 
allahassee, FL 32302 
Order #FL- 


cei, Inc. seeks Lead Network 
n our Cleveland, OH 
ntegration of 

ymputer technolo- 

ent environments 
igure equipment 

rdware, manipulate 
components to 

needs. Implement 

S individually or as part 
am. Must have Bachelors 
n Engineering or related 

5 yrs relevant experience 


Resume to Texcel, inc. Com- 
mercePark !i, 23220 Chagrin 
202, Beachwood, OH 


IFORNIA - (Corporate HQ 
yment is throughout US) 
yrammer Analyst 


41GAN-Programmer Analyst 


sitions require a BS and rele- 
experience: a combination 
nence and college level 
education may be accepted. The 
flexibility to travel and be on-cail 
may be necessary. Proof of legal 
authorization to work in the U.S 
Ss required 


Please forward your resume to 
Computer Sciences Corp., Attn 
J. Le, 2100 E. Grand Ave.. Mail 
Code A209. El Segundo, CA 
90245. Please indicate the spe- 

ocation for which you are 
applying 


Dale tace eS 


Lansa, Inc. is seeking a LANSA 
Latin America Sales Technical 
Support for Downers Grove, IL 
Candidate will provide phone 
and on site pre and post sale 
technical advice to Latin 
American partners and manu- 
facturing, distribution, financial 
government and retail industry 
LANSA clients. build proto- 
types and proof of concept appli- 
spective cus- 
vided post sale 
sidance to nsure 
t's LANSA projects are suc- 
Nill review sales pro- 
re technical accu: 
while using knowledge of 
plication development involv- 
he following: (1) User/Client 
nterface: Windows Client, 5250, 
Character (2) RDBMS: DB2/400 
and SQL Server. Will use knowl- 
edge of the following LANSA 
Visual LANSA, LAN- 
client, LANSA Open, RUOM. 
LANSA for iSer Will induct 
post sale education classes on 
the use of these LANSA prod- 
ucts and well as using knowl 
edge of 3GL programming ian- 
guages. Please fax resumes to. 
and reference 

ob title when applying 


PROGRAMMER/ANALYST 


Analyze, design, develop, test 
software app ions to meet 
mer requirements. Applica: 
ons need to be developed 
using C++, C#, .NET, CLR, VB 
Java, MFC, ATL, COM/DCOM 
Use the software tools such as 
Oracle Server, liS, Web 
Logic Server, Rational Rose 
CVS, Remedy, Clearcase 
PVCS tracker. 8:00 a.m. to 5:00 
p.m 00/year, Bachelor's 
degree Computer Science: 
Engineering. Five years of ex- 
perience in job offered or related 
occupa such software 
ment. Must have proof 
jal authority to work in the 
United States. Send your res- 
ume to the lowa Workforce Cer 
0 lowa Street Dubuque, IA 
52004-0757. Please refer to Job 
Order #1A1101900. Employer 
paid advertisement 


Computer 


SOFTWARE ENGINEERS to 
design, develop, debug, imple- 
ment, test and/or analyze com- 
puter software programs for ap- 
plications. May assist in porting, 
documentation, and/or defining 
requirements. Analyze opera- 
tional requirements; provide rec- 
ommendations for software 
architecture and system perfor- 
mance optimization. All levels 
may require a Master's degree 
in Computer Science, Engineer- 
ing, Business, Math, Physics, or 
related technical discipline, and 
2 years work experience in de- 
signing, developing, and imple- 
menting software applications 
including (1) RDBMS concepts 
and internals, performance tun- 
ing, and security, (2) SQL/PSQL 
code optimization, (3) defining 
software development lifecycle 
and architecture for technology 
stack integration, 4) developing 
software coding standards and 
procedures for enforcing stan- 
dards compliance, and (5) 
designing infrastructure for soft- 
ware packaging patching 
release and deployment. Send 
resumes for all level and all 
types to: Oracle Corporation 
500 Oracle Parkway, MS # 
30P864B, Redwood Shores. 
CA 94065; Attn: Job Code 
385.6764. Oracle supports 
workforce diversity. 


Primus Global Services, Inc., is 
seeking IT professionals in sev- 
eral areas: Functional Consul- 
tants - Oracle DBAs - Adminis- 
ter & consult on Oracle ERP & 
data warehousing solutions/im- 
plementations using Oracle 8i/9i 
& .Net on UNIX/Windows plat- 
forms. Programmer Analysts - 
1) Program & implement XML 
web services & coding for Or- 
acle & SQL Server back-ends 
using VB & .Net or 2) Code & 
implement web based applica- 
tions for UNIX & MVS using 
COBOL, DB2, SQL & shell pro- 
gramming. Code user interfac 
es using IBM Web Sphere & 
MQ Series middleware, IBM's 
Apache Web Server, J2EE and 
JDK. System Administrators - 
support & maintain operations 
of UNIX server, networks, appli- 
cations production & systems 
environments. Send resumes to 
jobs@primusglobal.com 


IT Careers Wants 
You! 


Take the hassle out of | 


job searching and 


check us out at 


www.itcareers.com. 


Today, more than ever, 
the right skills fuel the 


new economy and IT 


Careers wants you to be 


there. Check us out at: 


www.itcareers.com 
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Bells aren't Spending? 


Let IT Careers focus and 


direct your recruitment 


message by using three 


unique IDG publications: 


Computerworld, 


InfoWorld and 
Network World 


Call: (800) 762-2977 
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COMPUTERWORLD 
HEADQUARTERS 


500 Old Connecticut Path, P.O. Box 9171 
Framingham, MA 01701-9171 
Phone: (508) 879-0700 
Fax: (508) 875-4394 


PUBLISHER/CEO 
Bob Carrigan 


(508) 820-8100 
EXECUTIVE ASSISTANT TO THE CEO 
Nelva Riley 
(508) 820-8105 


VICE PRESIDENT/ 
GENERAL MANAGER ONLINE 
Martha Connors 
(508) 620-7700 


EXECUTIVE VICE PRESIDENT/ 
EDITOR-IN-CHIEF 
Maryfran Johnson 
(508) 820-8179 


EXECUTIVE VICE PRESIDENT/ 
STRATEGIC PROGRAMS 
Ronald L. Milton 
(508) 820-8661 
EXECUTIVE VICE PRESIDENT/COO 
Matthew C. Smith 
(508) 820-8102 


VICE PRESIDENT/ 
NATIONAL ASSOCIATE PUBLISHER 
Matthew J. Sweeney 


(508) 271-7100 

VICE PRESIDENT/CIRCULATION 
Debbie Winders 
(508) 820-8193 


CIRCULATION 
ding ant 


Circulation Coordinator/Diana Turco, (508) 820-8167 


PRODUCTION 


Vice President Production/Carolyn Medeiros; F 


508) 879-0446; DISTRIBUTION: Director of Distributic 
Affairs/Bob Wescott 


MARKETING 
Director of Marketing/Matt Dutty 
(508) 820-8145 


STRATEGIC PROGRAMS AND EVENTS 


Vice President Strategic Initiatives/Leo Leger: Director, Event 


k Hulitzky; Group Manager, Event Opera! 
Meleedy: Marketing Manager/Kate Carroll: Marketing Program Coordi 
nator/Chris Leger: Operations Manager/Lynn Mason; Conference Man 
ager/Nanette Jurgelewicz; Customer Service Specialist/Pam Malin 


gowski; Administrative Coordinator/Shari Redan, 500 Old Connecticut 


Path, Box 9171, Framingham, MA 01701-9171, (508) 879-0700. 
Fax: (508) 626-8524 


ONLINE ADVERTISING 
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SP2 


peak season,” said Mike Jones, 
CIO at Circuit City Stores Inc. 
“While I’m happy to see that 
Microsoft has put out SP2 in 
response to known issues and 
weaknesses over time, it just 
doesn’t work out timing-wise 
for us.” 

Jones said the Richmond, 
Va.-based retailer won’t deploy 
SP2 until the first or second 
quarter of next year. And he 
was hardly alone in 
determining that 
the SP2 deployment 
will have to wait at 
least four months. 

Fifteen of the 26 
respondents who now have at 
least some XP in their desktop 
environments indicated either 
that they would wait until next 
year or that they had no near- 
term or set plans for SP2. The 
remainder said they plan to 
deploy SP2 when they com- 
plete testing, with three of 
them saying they expect that 
will be within two months and 
another within four months. 

“We are very concerned 
about this service pack break- 
ing some of our applications,” 
said Bill Lewkowski, CIO at 
Metropolitan Health Corp. in 
Grand Rapids, Mich. “In fact, 
we had one of our vendors 
give us notice that their appli- 
cations would not work.” 

That vendor was McKesson 
Corp., a San Francisco-based 
provider of health care appli- 
cations, he said. Lewkowski 
added that he isn’t sure when 
Metropolitan will finish test- 
ing SP2, since it will need re- 
sources and money that hadn’t 
been budgeted. He said the IT 
department will work with its 
more than 400 vendors, but he 
isn’t sure it will ever get to the 
point where it can deliver SP2 
to its users. 

But Steve Kleynhans, an an- 
alyst at Meta Group Inc., said 
his firm is advising companies 
to roll out SP2 as fast as they 
can. He said he expects it will 
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take most companies four to 
six months to complete the 
certification and engineering 
process to prepare for the roll- 
out. “SP2 is mandatory. You 
don’t have a choice,” he said. 
“Anything in the future is go- 
ing to be built on SP2.” 

Yet the application compati- 
bility problems that some com- 
panies are encountering can be 
difficult to work through. John 
LaBrue, a team leader in dis- 
tributed computing at OGE En- 
ergy Corp. in Oklahoma City, 
said some applications that the 
IT department test- 
ed broke because of 
the new Windows 
Firewall. 

“There are 
methodologies in 
place to disable the firewall, 
and we have deployed those in 
our test environment. We are 
still having issues,” LaBrue 


problems we are experiencing.” 

LaBrue said OGE also has 
several custom applications 
for mobile data that are ina 
“broken state.” Its Citrix Sys- 
tems Inc. application also 
failed, but staffers stumbled 
upon a fix that worked, even 
though it wasn’t designed for 
that problem. 

In addition to concerns about 
application incompatibility 
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and firewall issues, DHL 
Worldwide Network SA/NV is 
worried about SP2’s size mak- 
ing it cumbersome to deploy 
to users who may be connect- 
ed via slower network links, 
according to Meg Plummer, 
director of front-end services 
at the international courier. 
The full SP2 package checks 
in at about 265MB, according 
to Microsoft. The average 
download is expected to be 
much smaller because of 
“smart download” technology 
that installs only what users 
need. For XP Professional, the 
SP2 download is expected to be 
about 100MB, Microsoft said. 


Preemptive Moves 

Some companies have had to 
disable Automatic Update to 
make sure users don’t down- 
load SP2 before they’ve had a 


| chance to test their applica- 
said. “So it’s not alleviating the | 


tions. John Foley, a network 
planning analyst at Werner Co. 
in Greenville, Pa., said that 
even though his company dis- 
tributes security updates 
through an internal server, he 
made a change to the group 
policy setting in Active Direc- 
tory to block users from down- 
loading SP2 via Automatic Up- 
date or Windows Update. 
Companies that rely on in- 
structing users to disable Auto- 
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matic Update run the risk of 


experiencing frustrating conse- | 
| quences. According to a source 


at a manufacturing firm who 


to install it. Now the machines 
won't boot and must be fixed. 
But SP2’s timing will work 
well for some companies. All- 
state Insurance Co. expects to 


| start rolling out Windows XP 


on April 1 next year, so the 
company is doing SP2 and XP 


| application compatibility test- 


ing at the same time. 

Still, that’s no small under- 
taking. Kevin Rutherford, a 
workstation strategist at the 
Northbrook, Ill.-based compa- 
ny, said Allstate has about 
1,000 applications to test. 


Early SP2 Adopters Got Extra Help Solving Problems 


Hawaiian Electric Co. got a dose 
of special attention whenever it 
encountered an application com- 
patibility problem with Service 
Pack 2. 

As part of Microsoft's Techni- 
cal Adoption Program, the Hon- 
olulu-based power company 
worked closely with the vendor 
on the migration of its 1200 
desktops to Windows XP Profes: 
sional, SP2 and Office 2003 

But even with assistance 
close at hand, Hawaiian Electric 
sometimes found it painful to 
deal with the shifting sands of 
multiple beta releases. The com- 


pany often had to spend time 
determining whether a problem 
was caused by XP, SP1 or SP2 
before it could seek a resolution, 
according to Les McCarter, di- 
rector of IT infrastructure and 
operations. 

McCarter said problems were 
more often related to XP compat- 
ibility - not to SP2. “We have not 
seen as many headaches with 
SP2 as has been purported out 
there,” he said. 

One problem that was traced 
to SP2 involved the company’s 
Mincom Ltd. ERP software. Mc- 
Carter said Microsoft investigat- 


ed the matter and incorporated a 
solution into the next beta. 

Other compatibility issues sur- 
faced with the company’s Xerox 
Corp. scanning software and 
with its voice-over-IP software. 
McCarter said that Hawaiian 
Electric also had to become 
skilled at configuring SP2’s fire- 
wall to allow applications to com- 
municate through it. 

But McCarter noted that out of 
several hundred applications the 
company had to test, it found 
compatibility issues with only 
three. He added that the time 
spent implementing SP2’s secu- 


So far, Greg Lavigne, an All- 
state systems consultant, has 


| already observed that the in- 

| surer’s WRQ Reflection termi- 
| requested anonymity, two users | 
| there downloaded SP2, despite 
| messages instructing them not 


nal-emulator software has 


| been flagged by Microsoft on 
| a Web page carrying the head- 


line “Some programs seem to 


| stop working after you install 
| Windows XP Service Pack 2.” 


Jon Murchinson, a Win- 


dows client product manager 


at Microsoft, said customers 


| should take advantage of SP2’s 
} enhancements right away. 

| But the company also recog- 

| nizes the need for application 


compatibility testing, he said, 


| and it recommends that cus- 
| tomers test SP2 in a closed 


environment before rolling it 
out to their entire enterprises. 


@ 49104 


rity improvements was “well 
worth it.” 

Another organization that 
made an early move to SP2 was 
the government of Fulton County, 
Ga. Its ClO, Robert Taylor, said 
the county had an agreement 
with Microsoft to participate in 
the testing of SP2. 

Taylor said the county identi- 
fied some application compatibil- 
ity problems during prerelease 
testing, but it has encountered 
none since then. Only one of its 
vendors, Accela Communica- 
tions, warned the county about 
deploying SP2, but not until last 
week, he noted. 

~ Carol Sliwa 
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Shred, Burn, Erase 


OW DO YOU DEAL WITH the sensitive data on your 

high-tech junk? One way is to send your old PCs toa 

company that makes a business of handling decom- 

missioned corporate computers. These days, they’ll 

charge you an extra $10 to $30 just to make sure the 
hard disks are completely erased [QuickLink 49063]. 

Sure, that’s more than you want to spend. But it’s a bargain com- 
pared with what a lawsuit might cost if sensitive customer informa- 
tion leaks out of your company on the unerased hard disk of a dis- 
carded PC. It’s a small price to pay for peace of mind. 

But if what you want is peace of mind, it’s nowhere near enough. 


Does that sound a little paranoid? Maybe it is. 
But I’ve purchased thrift-store PCs and junk- 
shop hard disks. And yes, I’ve scanned through 
their contents before repartitioning the drives. 
I’ve seen personal letters and business corre- 
spondence, contracts and legal papers, Social 
Security numbers and other customer data. All 
you need is to scan a few recycled hard disks to 
gain a healthy paranoia about junkers that con- 
tain valuable information. I’ve scanned dozens. 

I’ve also seen the results of projects by re- 
searchers such as Simson Garfinkel at Sand- 
storm Enterprises, who found high-tech vendor 
source code, financial information from invest- 
ment firms, thousands of credit card numbers 
and even internal Microsoft e-mails on second- 
hand hard disks he bought at swap meets and 
used-computer stores and on eBay. 

So my peace-of-mind threshold is pretty high 
when it comes to data on high-tech junk. Maybe 
yours should be, too. 

After all, that PC recycler may do a highly 
professional job of wiping your junked PCs’ 
hard disks. But before that happens, those PCs 
will sit on your loading dock — then on a truck, 
then on the recycler’s loading dock. 

There may be plenty of opportuni- 
ties for someone to walk off with 
your data. 

How do you keep it safe until 
it’s wiped? The simplest answer: 
Use a $50 commercial software 
package to wipe the disks yourself, 
before they go to your loading 
dock. Then pay the PC recycler’s 
fee to have them wiped again. Sure, 
that’s a belt-and-suspenders ap- 
proach, but it cuts the risk of a 
stolen junker exposing sensitive 
data. It also eliminates the single 


| point of failure of one disk-wiping session. 

But that’s not the only small price you'll have 
to pay to protect your data. There’s probably 
data hiding on other high-tech junk, too. 

Backup tapes are easy enough to deal with. 
You are using a $100 bulk eraser to wipe them 
before you trash them, right? 

You can also use that to handle many kinds of 
| recordable media that users copy sensitive data 
| with. That means floppy disks, Zip disks and 
cartridges for lots of other removable-media 
magnetic drives. 

Then there are recordable CDs and DVDs, 
the bane of any IT shop that’s trying hard to 
keep from leaking data. They’re high-capacity, 
unerasable, tough to destroy and easy to drop 
into the wastebasket — which makes them easy 
pickings for anyone who decides to dig through 
your Dumpster. 

How can you get rid of them? There’s no 
simple, standard answer. People have tried 
microwaving, burning, sanding off the surface, 
even dissolving them in acetone. The easiest 
| may be to run the disks through a heavy-duty 
bape shredder — that will run you $500 or 

y more, but your office probably 
already has one. 

But before you can shred those 
CDs or erase those Zip disks, you 
have to collect them from users. 
They may think you're a little para- 
noid for trying to track down every 
piece of high-tech junk that might 
contain sensitive data. 

Just remember: All it takes is one 
large dollop of that data in the wrong 
hands to make your worst fears a 
reality. Compared to that, users 
thinking you’re paranoid really is 
a small price to pay. @ 49071 


| 
| 
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Just Keeping His Options Open 
For this online sales form, there are 60 pages of specs 
identifying whether fieids are required or optional. “But 
- during beta testing, the VP of sales goes ballistic be- 
cause we don't let them submit a quote without the 

required fields,” ae 


onal” How can IT 
ieee! Ne 


one knows. Then what 

do the bosses do? “They : | acl. ay sont 
called the building facili- ! mice. By the end of the 
ties group to change the = day, they were com- 
combination,” fish says. : plaining that the screen 
“They couldn't figure ii: was too small, soa 17- 
out. So they spent $725: in. LCD was placed at 
cee a. | each workstation.” 
stalled - to avoid : ; 
calling me and askinga _: Just in Time 
simple question.” : For weeks, this IT pilot 


: fish has been 
dust What Fits | paadesactieaioes 
State agency's IT 


: after installing a big 
staffers do a careful job : software vendor's flag- 
of spec’ing out PCs, but ship product. When he 
somehow many of the finally gete to the ven- 
computers arrive with —_ dor’s highest tech-sup- 
the wrong hard-disk ca- _ port level, a programmer 
- pacity and missing op- —_: callls to tell fish that the 
tions. What happened? : problem was fixed in the 
“Seems the purchasing most recent patch - it’s 
_ unit was using a pur- fish’s fault for not being 
chase order form that — ; up to date. Fish knows 
could not hold the PC’s _; that’s not the case, but 
entire specification, and “he checks the vendor's 
- there was no continua- : site anyway. “Sure 





HP multifunctional products can make you more productive—our free MFP strategy guide shows you how. Each of these workhorses can do the job 

of three machines—printer, copier, scanner—in one. Some fax too. Using HP’s Digital Sending Software (optional on the HP Laserjet 9055mfp and HP 
LaserJet 9065mfp), you can scan and send directly to e 
find the one that fits your organization, whether you're a small office or large department. By actively managing your overall flee 


30% on overall operating costs as well as save time on maintenance and supplies management. With our MFPs, you get mor 


o 


And with HP and our authorized dealers, you get more than hardware—you get service, support and expert advice. H 


— 
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HP LASERJET 
4100mfp/4101mfp 


* Up to 25 ppm print/copy speed (black) 


+ Print, copy, color scan, digital send and fax 
(optional with 4100) 


* 1,600 sheet maximum input capacity 


SLEEP SSL SEER IELIOLAL ILE ILS GSES IER EAC AE 


A free MFP strategy guide 
and information on current 


offers are yours for the asking. 


“Rebate offers good on HP 9000mfp/HP 9000Lmfp purchases made between 5/1 


(04 and 10/31/04. Rebates ar 


HP LASERJET 
9000mfp/9000imfp 


HP LASERJET 
| 9055mip/9065n 





+ Up to 50 ppm/40 ppm print/copy speed 
(black) 


* Print, copy, color scan, digital send and 
optional faxing 


* Upto 11" x 17" media capable, optional 
finishing includes multi-position stapling and 
saddle-stitch booklet production 


Mail-in rebates available on 
these two models: 


Rebates not available in the state of Connecticut 


. eo to 55 ppm/65 ppm print/copy speed 
black) 
. pe print, scan, standard duplex and 
optional digital send 
* Optional 4,000-sheet input tray, three-hole 
punch and cover inserter 


* Up to 12” x 18" media capable 
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FREE Digital Sending Software 
(HP DSS 3.0 Workflow) 


800-888- 317 27 





hp.com/go/mfppromotions 





your local HP reseller 


e Subject to change; check the HP Web site at www.hp.com/go/hotdeals for most current rebati 


mail or network folders, depending on the model. Choose from a wide range of devices to 


e than a printer or copier 


s that for multifunctional? 





you could save up to 
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SASO 


With SAS° software’s new Intelligence Platform, you can... 


Drive the value of your investment in 
operational software. Once and for all. 


SAS introduces a software breakthrough for sharing mission-critical intelligence, in just the right 
context, with everyone from executives to knowledge workers. And for increasing the value of your 
IT investment every step of the way— from aggregating and ensuring the quality of data, from any 
source, to transforming that data into predictive insight using the world’s best analytics. Can one 
intelligence platform truly fit all your needs, within IT and across your enterprise? Let us prove it. 
Call toll free 1 866 791 3183 or visit our Web site. 


www.sas.com/itbreakthrough 


The Power to Know. JY Sas. 
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